Monday, December 15, 2014

Audio of interview with Macleans Magazine about SCC Fearon cell phone privacy decision

Last week, I was interviewed by Cormac MacSweeney for Macleans Magazine about the recent Supreme Court of Canada decision in R v Fearon. Listen to the full 15 minute-long interview here:

Monday, December 08, 2014

Former federal privacy commissioner Bruce Phillips has died at 84

Bruce Phillips, who served as Canada's Privacy Commissioner from 1991 to 2000 has died at age 84.

See: Former journalist and federal privacy commissioner Bruce Phillips dead at 84 | Metro.

Friday, November 28, 2014

Nova Scotia FOIPOP Review Officer annual report for 2013

Nova Scotia's new Freedom of Information and Protection of Privacy Review Officer, Catherine Tully, has just tabled the annual report for 2013 [PDF]. Former review officer Dulcie McCallum was at the helm for the period covered by the report.

From the media release that accompanied the report:

Proactive protection of personal information and disclosure of government data highlight FOIPOP Review Officer’s annual report

Halifax – Privacy breaches were front and centre across the country in 2013. In Nova Scotia, at least two of those breaches sparked class-action lawsuits against health care organizations. Today Catherine Tully, Nova Scotia’s Freedom of Information and Protection of Privacy Review Officer, released her office’s annual report for 2013. In the report, Tully highlighted the need for government departments and health care organizations to have strong privacy management frameworks in place to help mitigate the risks from privacy breaches.

“In determining whether or not damages will be awarded the court will no doubt look to the adequacy of the security arrangements and the steps the health authorities took to both prevent and detect the unauthorized viewing of medical records,” said Tully. “Equally important are the steps public bodies take to manage a breach once it occurs.”

The Review Officer said that assisting public bodies and health care custodians to develop privacy management frameworks would be a focus of her office going forward.

Tully also highlighted the importance of government finding ways to be transparent through proactive disclosures of information. Two examples that helped citizens understand how their tax dollars were spent were Halifax’s open data pilot project and the Department of Health and Wellness’ reporting on patient safety indicators. 2013 also saw calls for modernization of access and privacy legislation across the country, including in Nova Scotia. Going forward Tully plans to continue meeting with stakeholders to assess the need for modernization of Nova Scotia’s set of access and privacy laws.

“Transparency and accountability are at the heart of access and privacy legislation. A key element of such legislation is independent oversight that both public bodies and citizens can have confidence in,” said Tully. “Over the course of the coming months I will meet with stakeholders, and review complaints to develop an informed opinion about how well our legislation is working for Nova Scotians.” The annual report noted the backlog of case files that has built up at the Review Office. Tully committed that the backlog will be a priority for her office in the immediate future.

Tully also noted that 2013 saw the Personal Health Information Act (PHIA) come into force, though the Review Office received less contact from the public and custodians under that Act than expected. Tully plans to increase public education efforts around PHIA in the near future.

Friday, November 21, 2014

Newfoundland Supreme Court considers privacy class action, clears first hurdle to certification

The Supreme Court of Newfoundland and Labrador this week considerd the first part of a bifurcated application to certify a class action in Hynes v. Western Regional Integrated Health Authority, 2014 NLTD(G) 137. The cases arose from inappropriate browsing of personal health records by an employe of the defendant health authority. The application was split into two parts and the first focused on whether the pleadings disclosed a cause of action.

The court agreed that the case could proceed on the basis of the following causes of action:

  • breach of privacy based on statutory tort established under the Privacy Act;
  • breach of privacy based on common law tort (“intrusion upon seclusion”);
  • negligence; and
  • breach of contract.

What's remarkable is that Newfoundland already has a statutory tort of invasion of privacy under the Privacy Act. This case stands for the proposition that the existence of the statutory invasion of privacy law does not preclude the existence of the common law "intrusion upon seclusion" tort as described in Jones v Tsige. This is the opposite of the repeated holdings of the courts of British Columbia, where courts have held that the provincial Privacy Act means that the common law tort does not exist there. (See: No common law tort of invasion of privacy in British Columbia, judge finds.)

Wednesday, November 19, 2014

Alberta introduces amendments to privacy law to render it constitutional, falls short

On 18 November 2014, the government of Alberta introduced Bill 3: Personal Information Protection Amendment Act, 2014 to address the shortcomings in the law that rendered it unconstitutional according to the Supreme Court of Canada in the UFCW Case.

While the amendments directly address the constitutional problems of the UFCW Case, but dramatically fall short in addressing the underlying structural issues in the law that led to the the Court's finding that the law was unconstitutional. The Bill grants trade unions -- and trade unions only -- the ability to collect, use and disclose personal information in certain circumstances but do not permit any other organization to do so under the same circumstances. A trade union can record replacement workers crossing the picket lines, but an employer cannot similarly record a picket line, even in a public place.

While the SCC necessarily focused on the union context, PIPA (and the federal PIPEDA) don't sufficiently take into account other forms of constitutionally protected, expressive activities. I suppose it will be left to another day to have either PIPA or PIPEDA struck down on those bases.

For anyone who may be interested, here is a copy of PIPA showing the Bill 3 changes in-place [PDF].

#‎YouKnowHerName‬: Declare amnesty on breaking ban

I wrote this as an opinion for the Halifax Chronicle Herald, where it was printed on 19 November 2014:

The story of the past week has been the publication ban in the “high profile child pornography case” (Google it), when it should have been a discussion about sexual assault, child pornography and cyberbullying.

The police have investigated a number of instances of clear violations of the publication ban and have declined to press charges. They have also declined to provide a rationale, so that the rest of us have no guidance about whether we can discuss this incredibly important story without facing the wrath of the justice system.

The parents of the victim have said her name, over and over again. Social media is rife with mentions of her name. Foreign media have said her name in the context of her story. And this is a good thing, since we as a society have to come to terms with and learn from the horrible ordeal faced by a 15-year-old whose photo was taken and used to further abuse and bully her.

The rest of us are left wondering whether we would face the full brunt of the criminal justice system for saying a single word — her unique name — which has become synonymous with rape, cyberbullying and suicide.

The Criminal Code is clear: in all cases of child pornography, a judge must issue a ban prohibiting the publication or dissemination of the identity of the victim. This makes perfect sense. The last thing we as a society would ever want would be the re-victimization of a young person in the justice system or in the media.

Parliament, when the law was written, did not have this particular situation in mind and left the judge no wiggle room. The ban is mandatory.

However, the judge did make it clear in his decision when media outlets challenged the ban that there is a natural escape valve: even if the evidence shows a clear violation of the law and a slam dunk for a conviction, the prosecutor must determine whether the public interest is best served by the prosecution of the case.

The public interest would never be served by a prosecution of anyone for naming the victim in this case. But we are left with a situation where the rules are completely unclear and anybody discussing this case is standing on shaky ground.

It is time for the Attorney General of Nova Scotia or the Director of Public Prosecutions to publicly state that the public interest would not be served by any prosecution for saying her name and that they would not pursue charges against anyone for doing so.

And then we can stop talking about the publication ban and instead talk about the much more important issues of sexual assault and cyberbullying, and what we are doing about it.

David T.S. Fraser practises Internet and privacy law with McInnes Cooper law firm in Halifax.

Friday, November 14, 2014

The publication ban that makes no sense

I had the pleasure of sitting down to speak with Steve Murphy of CTV Atlantic about the publication ban in a very high profile child pornography / cyberbullying case here in Halifax. (CTV Atlantic: Privacy lawyer weighs in on pub ban | CTV Atlantic News)

The case has become very well known and most people are aware of the name of the victim, but the mandatory publication ban has resulted in a significant chilling of discussion related to this very important issue.

The ban is a mandatory one; the Criminal Code is clear that a judge MUST order a ban on the publication of any information that would identify the victim.

486.4(3) In proceedings in respect of an offence under section 163.1, a judge or justice shall make an order directing that any information that could identify a witness who is under the age of eighteen years, or any person who is the subject of a representation, written material or a recording that constitutes child pornography within the meaning of that section, shall not be published in any document or broadcast or transmitted in any way.

In an application made by the media to have the ban set aside, the judge made it abundantly clear in his decision turning down the application that his hands were tied.

In this case, the victim is no longer alive, having taken her own life as a result of a sexual assault, the distribution of the photo at the heart of the child pornography case, the subsequent bullying and slut shaming. The parents of the victim have been very vocal advocates in this area and need to continue to do so. But the telling of their daughter's story and the discussion that needs to take place all run the risk of violating the publication ban.

The publication ban, in this case, makes no sense and is chilling the discussion of a very important subject. Some have decided to ignore the ban and the Halifax Police today decided they would not pursue charges against a number of who have dared to mention the victim's name, but made it clear that they would investigate any further possible violations on a case-by-case basis. This is counter-productive. As the judge clearly stated in his decision, all of this can be solved by the Nova Scotia Director of Public Prosecutions issuing a statement that it would not be in the public interest to pursue charges in this case.

55. It is not for the court to purport to direct or even to advise or provide recommendations to the Director of Public Prosecutions. I will note however that it would be within the authority of the DPP to issue a direction to prosecutors in a specific case or in a certain classes of cases that it would not be in the public interest to prosecute. It would be within the authority of the Attorney General to issue a public direction to the DPP to that same effect.

The existence of the ban and police/prosecution discretion is having a chilling effect on discussion of this important issue. In my view, it is in the public interest that people be able to tell the whole story of the victim in this case.

If you agree, please feel free to share your opinion with the Director of Public Prosecutions:

Public Prosecution Service (Head Office)
Suite 1225, Maritime Centre
1505 Barrington Street
Halifax, Nova Scotia, B3J 3K5
Tel: (902) 424-8734
Fax: (902) 424-4484

Thursday, November 13, 2014

Police "shoulder surfing" accused's texts via casino CCTV camera is a Charter privacy violation

A judge of the Supreme Court of British Columbia in R. v. Ley and Wiwchar, 2014 BCSC 2108 has just held that police peeping on an suspect's text messages displayed on his blackberry screen via high-powered casino CCTV cameras was a violation of the Charter and would have required a wiretap order to make it permissible. From the decision:

[48] Moldaver J. in Telus Communications Co. concluded that the investigative technique used in that case was substantially equivalent to an intercept under Part VI and in my view the same can be said about the technique of using zoom cameras in the casino. Rather than seeking a disclosure of the messages sent by the applicant from the service provider, the police chose to read them in the process of being sent with the use of a camera. That, in my view, is substantially equivalent to an intercept under Part VI.

[49] As I have said, I am not aware of another way that a copy of text messages can be surreptitiously obtained from someone’s handheld communication device other than by photographing the messages or by obtaining a copy from the service provider. Based on Telus Communications Co., an authorization under Part VI would be required for the latter and should be required for the former.

[50] There was no evidence to suggest that the police could not have obtained a copy of the video footage taken of the applicant after it had been recorded by obtaining a production order, nor was there evidence to suggest that they could not have obtained copies of the text messages sent and received by the applicant during the time that he was at the casino, from the service provider. By instead choosing to photograph the applicant’s messages and retain the recorded footage the police bypassed the authorization requirement that, in my view, would otherwise have been necessary.

Summary of Conclusions

[51] Considering the totality of the circumstances in this case, I have concluded that the applicant’s rights under s. 8 of the Charter were violated by the use by the police of surveillance cameras in the casino to photograph messages on his Blackberry. If I am wrong in that conclusion, then in my view an authorization under Part VI of the Code was required because the actions of the police amounted to an interception of the applicant’s text messages.

Friday, November 07, 2014

Ontario Court awards $10K damages for Legal Aid file-peeking

The Ontario Superior Court of Justice has recently released its decision in McIntosh v. Legal Aid Ontario, 2014 ONSC 6136. While the background facts are messy and complicated (and, once again, related to jilted relationships), the one important takeaway is that the Court granted $10,000 in damages to the plaintiff based on the tort of intrusion upon seclusion after the defendant peeked into her Legal Aid file.

The defendant did not appear to defend the claim, so the court was left with assessing damages on a pretty sparse record, but one that was full of unsubstantiated claims of harms.

According to the plaintiff, her ex-boyfriend provided the defendant with the plaintiff’s full name and date of birth. The defendant used that information to access the plaintiff’s file with Legal Aid Ontario. A few days later, the defendant called the plaintiff and said that she had obtained confidential information from the plaintiff’s Legal Aid Ontario case file. The defendant’s review of the file disclosed that the plaintiff was involved with a Children’s Aid file. The defendant threatened to call the Children’s Aid Society in an effort to have the plaintiff’s children taken away from her. The plaintiff filed a complaint with legal aid and with the Information and Privacy Commissioner of Ontario. Following that investigation, Legal Aid Ontario provided a written of apology to the plaintiff. The plaintiff asserted that information was provided by the defendant to Children's Aid, an investigation took place and it was subsequently closed. There was no evidence of any other disclosure of the plaintiff’s private information.

In her claim made against Legal Aid Ontario and the individual defendant, the plaintiff alleged that as a result of such breach of privacy, she has experienced “substantial anxiety, emotion [sic] upset, depression, significant stress, embarrassment, weight loss, insomnia, isolation, and an inability to concentrate at work.”

In the course of the hearing, virtually no evidence was led to substantiate any of the pecuniary or health-related claims. The Court was left with deciding damages solely on the basis of the peeking into the file.

Here's the court's analysis of the calculation of damages in this case:

[29] The plaintiff asserts in her affidavit that the defendant used the private information to contact the Children’s Aid Society in an effort to have the plaintiff’s children taken away from her, but no documentation of any sort was filed in support of this bald allegation. The failure of the plaintiff to specify disclosure of information to the Children’s Aid Society with the original complaints or as part of the investigative process, coupled with the lack of any sort of supporting documentation, leads me to conclude that the plaintiff has failed to satisfy me that there was any disclosure of the plaintiff’s private information.

[30] In view of this finding, I am left with the task of assessing damages based upon the defendant’s improper access to the plaintiff’s private information only.

[31] The information that had been provided by the plaintiff to Legal Aid Ontario was clearly personal information. It was provided with an expectation that the plaintiff’s privacy interests would be respected and that the information would be used in connection with her legal aid application alone.

[32] The tone of the original complaint to Legal Aid Ontario itself is more consistent with irritation rather than devastation.

[33] If the invasion of her privacy did affect her emotional state, the evidence suggests that it did so in a minor fashion only. There is no detailed medical report, only a doctor’s note concerning a consultation for anxiety, something that has already been noted was a pre-existing condition. Having said that, I am satisfied that the evidence supports a finding that the disclosure of personal information caused the plaintiff a measure of annoyance, anxiety and distress.

[34] Although Legal Aid Ontario provided a letter of apology, the defendant has not seen fit to do so.

[35] After taking all of these factors into consideration, I award general damages in the amount of $10,000. In determining this amount, I have taken into consideration the resolution that occurred between the plaintiff and Legal Aid Ontario, who was originally named as a party defendant, but who is no longer involved in the claim


Though damages for intrusion upon seclusion may range from nominal to $20,000 (per Jones v Tsige), but we may see $10,000 become the standard award.

Thanks to Dan Michaluk for bringing this case to my attention. Check out his commentary on this blog at AllAboutInformation.ca.

Wednesday, November 05, 2014

Appeals Court upholds decision that CSIS lawyers lied to the court to obtain warrants to spy on Canadians outside of Canada

The Federal Court of Appeal has confirmed the decision by Justice Moseley which found that CSIS and the Department of Justice had lied and withheld material evidence in order to get warrants under the CSIS Act to surveil Canadians outside of Canada. (X (Re), 2014 FCA 249) I wrote about the decision under appeal here: Canadian intelligence agencies lied to obtain warrants, Federal Court judge says.

In summary, Justice Mosley had found that the Department of Justice lawyers, acting for CSIS in various warrant applications, had withheld information from the Court in order to get warrants under the CSIS Act. What they withheld was that they would get one or more of their Five Eyes partners to do the spying for them. Justice Mosley had found that the CSIS Act (and customary international law) did not permit the Court to grant a warrant that would effectively authorize the intelligence service to violate the laws of wherever the spying was to take place. (This last part has been addressed in proposed amendments to the CSIS Act in Bill C-44.)

The Federal Court of Appeal agreed with Mosley J that DOJ lawyers did not meet the standard expected and required on an ex parte application:

[66] On this evidence we are satisfied that once the decision was made to routinely seek the assistance of foreign agencies after the issuance of a DIFTS warrant, the duty of candour and utmost good faith required that CSIS disclose to the Federal Court the scope of its anticipated investigation, and in particular that CSIS considered itself authorized by section 12 of the CSIS Act to seek foreign agency assistance without a warrant. CSIS failed to make such disclosure.

On the question of spying outside of Canada, the Court of Appeal did not reach the same conclusion as Mosley J. The Service is authorized to conduct activities at home and abroad. In general, the Court can authorize intrusive activities outside of Canada, but there was not sufficient information in the record before the Court to decide about its ability to authorize activities that would violate the laws of another jurisdiction:

[90] Here, we emphatically endorse the submission of the amicus that the question of whether the Federal Court had jurisdiction to issue a warrant authorizing the Service to lawfully intercept the communication of Canadians abroad (through the agency of CSEC and another country) was not before Justice Blanchard. Further, we see no legal impediment to the issuance of such a warrant. Thus, for example, the Federal Court could issue a warrant where the interception authorized by the warrant is in accordance with the domestic law of the state in which the interception takes place.

[91] What Justice Blanchard found was that the Federal Court lacked jurisdiction to issue a warrant that authorized activities in another country that CSIS conceded would violate the laws of that country. This issue does not properly arise on this record and cannot be decided on the record before us.

.... [96] It is for another day on another application with a more fully developed record for the Federal Court to consider whether in the national security context, section 21 warrants necessarily have a sufficient real and substantial link to Canada that the Court may issue a warrant that authorizes intrusive extraterritorial activity without offending the principle of comity and principles of international law.

The Court of Appeal did seem to accept that CSIS or CSEC could engage one of the other Five Eyes intelligence agencies to carry out the surveillance on its behalf.

According to the Canadian Press, the government is looking to appeal this to the Supreme Court of Canada.

Here is some additional coverage: Appeal Court upholds ruling CSIS kept judge in the dark on foreign spying.

Monday, November 03, 2014

SCC grants Alberta privacy law a reprieve, legislature gets another six months to fix unconstitutional privacy law

Last week the Supreme Court of Canada, following a motion brought by the government of Alberta, extended the life of the Personal Information Protection Act by six months. Readers may recall that the "nuclear option" was exercised in the Information and Privacy Commissioner, et al. v. United Food and Commercial Workers, Local 401, et al. case. The Court found that a portion of that Act was unconstitutional but, at the request of the Information and Privacy Commissioner and Government of Alberta, the entire statute was declared to be unconstitutional but with the declaration of invalidity suspended for twelve months. The idea was that the Alberta government would be able to get its ducks in a row and fix it in that time. We'll, that's not how it panned out and the clock was ticking down to November 14, 2014.

Cap in hand, the Alberta Government filed a motion in the Court to extend the suspension period by six further months and, on October 30, 2014, the Chief Justice of the Court granted the motion:

Decision on miscellaneous motion, CJ, UPON APPLICATION by the appellant, the Attorney General of Alberta, for an order extending the suspension of the declaration of invalidity of the Personal Information Protection Act, S.A. 2003 c. P-6.5, as granted in this appeal on November 15, 2013, for a period of six months;

AND THE MATERIAL FILED having been read;

IT IS HEREBY ORDERED THAT:

The motion is granted without costs. The suspension of the declaration of invalidity is extended for a period of six months from the original deadline set by this Court in the judgment dated November 15, 2013.

Granted, without costs

What is particularly shocking is that -- I am told -- the trade union involved in the case opposed the motion for the extension. If the legislation "fell", all members of the trade union and all employees in the provincially regulated sector would have been without privacy protection. That strikes me as absurd.

Friday, October 31, 2014

Lawful access I can get behind: Missing Persons Act (NS) still in limbo

Among the many reasons put forward for "lawful access" and warrantless access to personal information is the need to obtain information in missing persons cases, where the timeliness of obtaining phone information about a missing person can be pivotal in finding a missing person. Where there is no evidence of wrong-doing, regular productions orders are unavailable because no crime is believed to have been committed.

In response to this, the Government of Nova Scotia developed a properly tailored statute to allow police to get a court-sanctioned order requiring telcos and others to provide information. The Missing Persons Act was passed, but hasn't yet been proclaimed into force. Here are the key, operative provisions:

6 (1) Upon application for a record-access order, a justice who is satisfied that access to and, where requested, copies of any of the records set out in subsection (2)
(a) may assist a police agency in locating the missing person; and

(b) are in the possession or under the control of a person,

may make an order requiring the person to provide members of a police agency access to and, where requested, copies of the records set out in the order in respect of the missing person or, where subsection (3) applies, a person who may be accompanying the missing person.

(2) A record-access order may be made in respect of

(a) records containing contact or identification information;

(b) telephone and other electronic communication records, including, without limiting the generality of the foregoing,

(i) records related to signals from a wireless device that may indicate the location of the wireless device,

(ii) cell phone records,

(iii) inbound and outbound text messaging records, and

(iv) Internet browsing-history records;

(c) global-positioning system tracking records;

(d) video records, including closed-circuit television footage;

(e) records containing employment information;

(f) records containing personal health information as defined in the Personal Health Information Act;

(g) records from a school, university or other educational institution containing attendance information;

(h) records containing travel and accommodation information;

(i) records containing financial information; and

(j) any other records specified in the order that the justice considers appropriate.

(3) Where the missing person is a minor or a vulnerable person and there are reasonable grounds to believe that the missing person may be in the company of another person, the justice may order that members of the police agency be given access to and, where requested, copies of any of the records set out in the order in respect of the person who may be accompanying the missing person.

(4) In a record-access order, the justice may impose any restrictions or limits on the records to be produced that the justice considers appropriate.

(5) The justice may include a provision in a record-access order requiring a person to provide members of the police agency with an accounting of the efforts made by the person to locate any records that cannot be found.

A recent and ongoing case in Nova Scotia highlights the necessity for legislation such as this. Despite the fact that the law isn't in force, the spouse of the missing person was authorized on his account and was able to authorize it. (See: Missing Persons Act to be proclaimed soon, says minister - Nova Scotia - CBC News).

A key learning from this is that specific problems can have specific solutions, without broadening access to private information in other cases. While the range of information accessible under the Act is remarkably broad, the limited circumstances under which the orders are available and judicial oversight prevents abuse of this access.

Thursday, October 30, 2014

Annual Report to Parliament on the Privacy Act tabled for 2013-2014

The Office of the Privacy Commissioner of Canada has released its annual report on the Privacy Act, Canada's federal public sector privacy legislation, for 2013-2014. The report was tabled by our new Commissioner, Daniel Therrien, but relates to a period under the leadership of former Commissioner Jennifer Stoddart and Interim Commissioner Chantal Bernier.

Not surprisingly, the RCMP and surveillance of telecommunications customers loom large in the report. The summary provided in the accompanying press release gives a good overview:

News Release

Annual Report:

RCMP review highlights need for better record keeping

Privacy Commissioner’s latest annual report highlights a review which identified shortcomings in how the Royal Canadian Mounted Police (RCMP) monitors and reports on its collection of subscriber data from telecommunications companies without a warrant.

OTTAWA, October 30, 2014 – The results of a review of the RCMP’s warrantless access requests to telecommunications companies have prompted the Privacy Commissioner to call on federal institutions to ensure they properly document these types of requests.

The Office of the Privacy Commissioner of Canada (OPC) launched its review to determine whether the RCMP had appropriate controls in place to ensure its collection of this type of personal information from companies without a warrant was in compliance with the Privacy Act.

“We were disappointed to find that limitations in the RCMP’s information management systems meant we were unable to assess whether such controls were in place,” says Commissioner Therrien.

“It was not possible to determine how often the RCMP collected subscriber data without a warrant. Nor could we assess whether such requests were justified.”

The results of the review are included in the Commissioner’s 2013-2014 Annual Report on the Privacy Act tabled in Parliament today. The report also includes information related to other privacy and surveillance issues, including Beyond the Border initiatives and metadata; and discusses key investigations and complaint and data breach trends.

The review was closed after senior officials at the RCMP informed the OPC that, in the wake of a landmark Supreme Court of Canada decision, the organization would ensure its practices were in line with the ruling.

The OPC has recommended that the RCMP implement a means to monitor and report on warrantless requests for subscriber information.

“We are pleased that the RCMP has agreed to implement this recommendation,” says Commissioner Therrien. “While this review was focused on the RCMP, the recommendation calling for proper record keeping around such requests is one that other federal government organizations should also follow.

“Canadians understand that law enforcement and national security agencies have legitimate needs to collect personal information. Transparency is critical to accountability and will help to increase trust. Canadians want and deserve to have a clearer picture of how, when and why federal institutions are collecting personal information,” the Commissioner said.

“We would also encourage all federal departments and agencies not already doing so to take steps to ensure that all requests for subscriber data respect the Supreme Court of Canada’s recent decision in R. v. Spencer. The clear implication from this critically important decision for privacy is that government institutions must carefully evaluate their processes for obtaining information to ensure compliance with the Charter. The Supreme Court was clear in the Spencer decision that, absent exigent circumstances or a reasonable law providing lawful authority, government agencies must obtain prior judicial authorization in order to obtain subscriber data linked to anonymous online activities.”

Metadata Analysis

The annual report notes that the OPC has also completed a technical and legal primer on metadata – the data trail generated each time someone uses a mobile device, computer, telephone or other technologies.

Metadata and Privacy: a Technical and Legal Overview

The paper, made public today, concludes that organizations should not underestimate what metadata can reveal about an individual. Given the ubiquitous nature of metadata and the powerful inferences that can be drawn about specific individuals, government institutions and private-sector organizations will have to govern their collection and disclosure activities according to appropriate processes and standards that are commensurate with the potential level of sensitivity of metadata in any given set of circumstances.

Beyond the Border Initiatives

The annual report also notes that, over the last year, the OPC saw a trend towards an increased collection of personal information at borders and an expansion of the sharing and uses of such information. A large part stems from the entry/exit program – an initiative developed under the Canada-U.S. Beyond the Border perimeter security agreement. Initial phases have involved the exchange of entry information between Canada and the U.S. of third country nationals and permanent residents crossing land borders. The program will be expanded to include Canadian and U.S. citizens.

The OPC has already raised a number of questions with respect to the program.

Plans for the next phases of the entry/exit program contemplate not only collecting exit data from all travellers, but using that personal information for wider purposes. This includes sharing it with federal institutions. The OPC has recommended that each of these expanded uses be demonstrated as necessary and effective, be undertaken in the least privacy-invasive manner possible and be designed so any loss of privacy is in proportion to a substantial societal benefit.

The OPC expects to receive Privacy Impact Assessments (PIAs) for proposed new uses of personal information from the entry/exit program in the coming year. PIAs are an important tool and bring real value to organizations because they help to both identify and mitigate privacy risks.

Data Breaches

For the third consecutive year, the number of data breaches voluntarily reported to the OPC by federal institutions reached a record high. It is unclear whether there were actually more breaches or whether more departments and agencies chose to report them.

There were 228 reported data breaches in 2013-2014 across the federal government, more than double the 109 reported a year earlier.

Future annual reports should provide better information about the extent of serious federal government data breaches thanks to a recent change to the Treasury Board’s Directive on Privacy Practices. Federal institutions are now required to report all material data breaches.

Complaints

Year over year, complaints to the OPC have grown in both volume and complexity.

In 2013-2014, the Office accepted 1,777 complaints under the Privacy Act. This was lower than the previous year, which was unusually high due to more than 1,000 complaints related to two major data breaches at Employment and Social Development Canada (ESDC). If complaints associated with those breaches are not counted, there would be a year-over-year increase of approximately 700 complaints. That figure includes 339 complaints relating to a single issue at Health Canada.

ESDC Investigation

In March 2014, the OPC tabled in Parliament a special report on an investigation into ESDC’s loss of an external hard drive containing the personal information of almost 600,000 student loan recipients.

Our annual report summarizes the results of an investigation into another breach involving the disappearance of a USB key containing the personal information of more than 5,000 Canada Pension Plan Disability appellants. The USB key, which was being used by a Justice Department employee, disappeared from an ESDC office. It was neither password-protected nor encrypted, nor was it ever found. As in the breach involving the loss of a hard drive, the investigation found weaknesses in key privacy management controls.

Annual Report to Parliament 2013-14 - Transparency and Privacy in the Digital Age - Report on the Privacy Act

Wednesday, October 29, 2014

Privacy regulators call for measured response to terrorism attacks

In anticipation of new federal regulations to expand police surveillance powers and in connection with their annual meeting, Canadian federal, provincial and territorial privacy regulators, in a media release, have called upon the Federal Government:

  • To adopt an evidence-based approach as to the need for any new legislative proposal granting additional powers for intelligence and law enforcement agencies;
  • To engage Canadians in an open and transparent dialogue on whether new measures are required, and if so, on their nature, scope, and impact on rights and freedoms;
  • To ensure that effective oversight be included in any legislation establishing additional powers for intelligence and law enforcement agencies.

The media release is here: News Release: Statement of the Privacy and Information Commissioners of Canada on National Security and Law Enforcement Measures - October 29, 2014.

Friday, October 17, 2014

Presentation: Wearables under Canadian law

I had the pleasure of speaking to the Canadian Institute for the Administration of Justice's annual conference this week in St. John's. My second panel presentation was emerging issues and I focused on wearables.

My presentation is here:

Presentation: Right to be forgotten in Canada? Not so fast ...

I had the pleasure of speaking to the Canadian Institute for the Administration of Justice's annual conference this week in St. John's. My first panel presentation was on the collision between privacy and freedom of expression in the form of the "Right to be Forgotten". Spoiler alert: it would be unconstitutional in Canada.

Here's my presentation:

Tuesday, October 14, 2014

Two weeks until the Canadian Bar Association 5th Annual Privacy and Access Law Symposium

Only a short time until the Canadian Bar Association's 5th Annual Privacy and Access Law Symposium in Ottawa at the end of the month. The conference is uniformly excellent with great speakers.

Topics include:

  • Implementing Canada's new Anti-Spam Legislation (CASL) under existing privacy frameworks
  • Key developments in international law which will affect Canadian compliance
  • Mobile tracking, consumer online scoring and user-generated health data
  • Records management and challenges to access
  • Significant provincial changes regarding police information checks, PIPEDA, Ontario's FIPPA “advice and recommendations” exemption, and IPC Ontario's “Crossing the Line” investigation report
  • Trends in access including shared services arrangements which include NGOs
  • Privacy in public places – protectable personal information

You can get the agenda [PDF] here and register here.

Friday, October 10, 2014

Cyberbullying and lawful access Bill C-13 in the home stretch

The Protecting Canadians from Online Crime Act, also known as the controversial cyberbullying and lawful access ("law adjacent" access?) bill is in the home stretch, about to be passed by the House of Commons. From the CBC: Cyberbullying bill inches closer to law despite privacy concerns - Politics - CBC News.

I have had a lot to say about it, so for background, please check out the Bill C-13 Tag.

Monday, October 06, 2014

The 18th annual Canadian IT Law Association Conference

The 18th annual conference of the Canadian Information Technology Law Association is coming up in Montreal, October 20-21, 2014.

I have not missed an IT-Can conference since I started practicing law and have been honoured to be a regular speaker. (In fact, I liked the association so much, I was the president of the Association for a while. :) I'm moderating a panel on privacy, big data and data governance. There are other excellent plenary sessions and round-tables for anyone with an interest in tech or privacy law. A veritable buffet:

The Annual Update on IP Issues • Cybersecurity: Mitigating Business Risk • Evolution of IT Licensing: From Software Licensing to Software as a Service • Privacy and Information Governance Challenges in the Age of Big Data • IT and the Practice of Law: Whatever Happened to the Paperless Office? • Développements récents 2013-2014 en TI en droit québécois • Canada's New Anti-Spam Legislation: Compliance Challenges and Risk Mitigation Strategies • Mobile Payment Technology Issues • Hot Topics in IT Law 2014 • A Checklist of Issues for Doing Business in Quebec • Strategic Use of Outsourcing Arrangements • Global Practice Issues: The Intersection of Anti-Corruption and Technology • Mobile and Telecommunications Contracting • The Current State of Net Neutrality

Check out the brochure [PDF], which has all the registration details. If you have any questions about the program please contact Lisa Ptack, IT.CAN Executive Director at lisa.ptack@rogers.com.

Canadians deserve to participate in an informed conversation about privacy and surveillance


I was invited to contribute to the Hill Times Policy Briefing on Information Technology that was released today. Here's what I had to say:

Canadians deserve to participate in an informed conversation about privacy and surveillance

A multi-year conversation about privacy and surveillance is finally coming to a head, and it may be one of the defining issues of our time. This is a pivotal aspect of the relationship between citizens and the state, and Canadians have a right to sufficient information about the government’s activities to contribute to an intelligent conversation.

The topic of privacy and government surveillance has been making headlines in Canada for the last several years. Huge numbers – MILLIONS OF REQUESTS! – grab attention, but there is little understanding of the circumstances under which information is requested and disclosed from telecommunications service providers, the extent to which law enforcement seeks information, or even the nature of the information. Canadian law enforcement and security agencies have many of the same powers as their US counterparts. Canada has an equivalent of the USA Patriot Act: this is little-known and the import is little-understood. Few Canadians are aware that laws, including the Customs Act, the Excise Tax Act and the Environment Act, authorize warrantless access to personal information without judicial oversight or notice to the affected persons. Nobody outside government knows how often or how these powers are used.

Ever since the first efforts at legislating “lawful access” years ago, civil society groups have attempted to engage law enforcement and government in a dialogue to understand privacy and warrantless access to information about citizens. Their efforts have reached a crescendo as leaks from Mr. Snowden, furor over Bill C-13 and the Supreme Court of Canada decision in R. v. Spencer draw further attention to the issue. More recently, it has been reported that Rogers and Telus are challenging an order that they turn over call records of more than forty-thousand customers in one “tower dump”.

Law enforcement’s participation in that dialogue can be summed up in the following: “trust us, but it’s not private information anyway so don’t worry about it.” Government and national security agencies stonewall, telling us: “we don’t talk about national security.” Or cabinet ministers state that questioning such powers puts one in league with child pornographers. The credibility of assertions that Canadians are not targeted for mass warrantless surveillance has been dramatically undermined by documents from Mr. Snowden’s cache. Speculation that members of the “Five Eyes” - Canada included - spy on each other’s citizens is left largely uncontradicted.

The result is an informational vacuum in which hard facts are rare, leading to dire and Orwellian speculation.

Until recently, the only visibility into the Canadian government’s demands for information about its citizens had to be coerced from either the telcos or government. Thankfully, a small handful of telcos followed the lead of Google, Twitter and Facebook by releasing “transparency reports” earlier this year. But even here, the information is sparse, incomplete and likely misleading.

The reported data does not tell us, for example, how many requests are related to call records (so-called metadata) or unlisted numbers, in comparison to looking up the owner of a particular phone number? How many requests sought customer info based on IP addresses, which was the focus of the Spencer decision? How many customer accounts are affected?

Canadians have a Charter-guaranteed right to privacy, which can be limited “subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.” This is a critical balancing act, recognizing that the state has a compelling interest in protecting society and the national security. At the same time, widespread, warrantless surveillance of a population is one of the hallmarks of a police state and the antithesis of how most Canadians imagine their country.

To what extent are we a free and democratic society? The only way this conversation can take place is when law enforcement agencies and national security organizations are transparent about the use of these powers. We already have similar information about the use of wiretap powers under the Criminal Code, tabled in Parliament annually. Providing statistics cannot conceivably undermine security or the effectiveness of investigative techniques.

Canadians have a right to express informed opinions about where the line should be drawn and where the balance between privacy and security should rest. This conversation is one of the most important for our society, and Canadians have a right to an informed discussion. It may well be that Canadians will be satisfied where the lines are drawn and where the balance lies; but without transparency, we can only speculate.

David TS Fraser practices internet and privacy law with the firm McInnes Cooper. He is the author of the Canadian Privacy Law Blog (blog.privacylawyer.ca) and can also be found on Twitter at @privacylawyer. The views expressed are the author’s alone and should not be attributed to his firm or its clients.

Friday, October 03, 2014

Presentation: Canada's Anti-spam Law and School Boards

Later today, I'll be giving a presentation to the Nova Scotia School Boards Association on Canada's Anti-Spam Law (CASL) and how it affects their operations. There has been a huge amount of confusion about the impact of this law on organizations like school boards, which are generally not engaged in commercial activity and can't really take advantage of some of the implied consent provisions are are available to other organizations.

Here's the presentation, in case it is of interest or useful:

Wednesday, October 01, 2014

SaskTel issues its first "Transparency Report" on government data demands

Hot on the heels of Telus' transparency report, SaskTel has also released its very first transparency report [PDF] on government data demands.

It's worth giving the report a look, and noting that SaskTel is the only telco in Canada that is also subject to a public sector privacy law that has very broad latitude for data disclosure to law enforcement.

Here are the numbers:

General – Listed Customer Name and Address 1,582

Court order 4,139

Freedom of Information and Protection of Privacy (excluding child sexual exploitation) 896

Federal/provincial government formal demands 233

Emergency requests 718

Emergency requests - after-hours by operator services 3,993

Child sexual exploitation 49

Requests denied 247


It's also worth noting that SaskTel says they have changed their practices in response to the R. v. Spencer case.

Presentation: Canada's Anti-spam Law and non-profits/charities

I just had the pleasure of speaking at a joint meeting of the Canadian Bar Association (Nova Scotia)'s privacy and charities sections on the impact of Canada's Anti-Spam Law (CASL) on charities and not for profits.

Here's the presentation, in case it may be of interest:

Presentation: The legal response to cyber-bullying

This week, I led an internal McInnes Cooper continuing professional development session on cyberbullying and the legal response to it.

In case this is of interest to readers, here is the presentation:

Presentation: Canada's Anti-spam law and University Conference Services

I had the pleasure of giving a presentation at the annual conference of the Canadian University and College Conference Organizers Association about the impact of Canada's Anti-Spam law on how they carry on their operations. The good news is that universities and colleges are not as affected by this law as most organizations. The bad news is that the conference and accommodation services folks are perhaps the most affected at their institutions.

Here is my presentation, in case it is of interest:

Tuesday, September 30, 2014

Telus issues its first "Transparency Report" on government data demands

Full points to Telus for joining Rogers as the first Canadian telcos to issue a transparency report. The Report for 2013 [PDF] summarizes the disclosures of customer information made by Telus in broad categories:

Court Orders/ Subpoenas**

Court Orders 3,922

Subpoenas 393

Court Orders to comply with a Mutual Legal Assistance Treaty (MLAT) request 2

Customer Name and Address Checks 40,900

Emergency Calls 56,748

Internet Child Exploitation Emergency Assistance Requests 154

Legislative Demands 1,343

TOTAL 103,462


As Telus notes, their methodology for tracking these may differ from other telecommunications providers, so the numbers may not be directly comparable.

It is also particularly notable that Telus states their practices have changed in at least two areas following the R v Spencer decision:

Customer Name and Address Checks

Description: Requests to provide basic customer information, such as customer name and address. These are usually done in order to identify an individual associated with a telephone number. Previously, it was understood that such disclosure was permitted under Canadian law and TELUS’ service terms. However, in light of the recent decision of the Supreme Court of Canada in the case of R. v. Spencer, TELUS has changed its practice and now requires a court order for customer name and address information, except in an emergency or where the information is published in a directory.*

[Note: Hopefully, this does not suggest that they will provide a customer name and address when presented with an IP address, if that name and address are listed.]

Internet Child Exploitation Emergency Assistance Requests

Description: In response to police requests, TELUS disclosed the name and address of a customer using an IP address to help the police investigate a case of online child sexual exploitation. Previously, it was understood that such disclosure without a court order was permitted under Canadian law and TELUS’ service terms. However, the Supreme Court of Canada in the Spencer case (referred to above) has ruled that such disclosure requires a court order, except in an emergency. Accordingly, TELUS has amended its practices in this regard.


The Toronto Star has offered some commentary on this: Telus issues first ‘transparency’ report on requests for customer information | Toronto Star

Thursday, September 18, 2014

Google's latest transparency report: Law enforcement requests up 150% over five years

Google has released its most recent iteration of its transparency report. In a posting on the Google Public Policy Blog, Richard Salgado, Legal Director, Law Enforcement and Information Security, writes that Google has seen a 15% increase in government data demands (excluding national security demands) since the second half of last year, and a 150% jump since Google's first report 2009. Breaking out U.S. demands, the numbers have risen 19% since the second half of last year and have leaped 250% since 2009.

The numbers for Canada have actually gone in the other direction. The previous transparency report included 52 demands for info on 73 users, compared to the most recent 27 demands related to 33 user accounts.

Consistent with Google's previous positions Salgado writes:

Governments have a legitimate and important role in fighting crime and investigating national security threats. To maintain public confidence in both government and technology, we need legislative reform that ensures surveillance powers are transparent, reasonably scoped by law, and subject to independent oversight.

Amen to that.

Sunday, September 14, 2014

Newfoundland health authority employee fined for rummaging through records

Last Thursday, a judge of the Newfoundland Provincial Court fined a former employee of Western Health $5000 for rummaging through approximately 1000 records. The accused was found to have reviewed names and billing addresses, but not more sensitive health information. See: Fine in privacy breach 'sends the right message': Ed Ring - Newfoundland & Labrador - CBC News.

Thursday, September 11, 2014

Privacy Commissioner of Canada releases results of second GPEN Privacy Sweep focused on mobile apps

The Privacy Commissioner of Canada has released the results of the second Global Privacy Sweep carried out by the Global Privacy Enforcement Network (GPEN). This sweep focused on mobile apps and the OPC scrutinized 151 of the 1211 examined globally.

The findings are summarized in a blog post, along with ten tips directed to assist developers in being more transparent about how apps collect, use and disclose personal information.

Here's the media release, too:

News Release: Global privacy sweep raises concerns about mobile apps - September 10, 2014

News Release

Global privacy sweep raises concerns about mobile apps

Clear, concise privacy language builds consumer trust and is good for business, Privacy Commissioner says after global sweep of more than 1,200 mobile apps.

OTTAWA, September 10, 2014 – As mobile apps explode in popularity, many of them are seeking access to large amounts of personal information without adequately explaining how that information is being used, participants of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep found.

“Fortunately, there were few examples of apps collecting the sort of information that would appear to exceed their functionality—like a flashlight app seeking permission to obtain your contacts list,” says Daniel Therrien, Privacy Commissioner of Canada.

“But we did find many apps were requesting permission to access potentially sensitive information, like your location or access to your camera functions, without necessarily explaining why. This left many of our sweepers with a real sense of unease.”

The privacy sweep results offer insight into the types of permissions some of the world’s most popular mobile apps are seeking and the extent to which organizations are informing consumers about their privacy practices. A number of specific examples illustrating these trends can be found in a blog postexternal on the Office of the Privacy Commissioner of Canada’s website. The Commissioner determined it was in the public interest to share specific results from the Sweep in order to help Canadians better understand the observations. Our Office has also prepared a 10 tips guide to help developers better communicate their privacy practices to app users.

In total, 1,211 apps were assessed, 151 of them by the Office of the Privacy Commissioner of Canada.

Participants looked at the types of permissions an app was seeking, whether those permissions exceeded what would be expected based on the app’s functionality, and most importantly, how the app explained to consumers why it wanted the personal information and what it planned to do with it.

“Both large and small app developers are embracing the potential to build user trust by providing clear, easy to read and timely explanations about what information they will collect and how they will use it,” Commissioner Therrien says.

“Others are missing that opportunity by failing to provide even the most basic privacy information.”

The Sweep, which took place May 12 to 18, 2014, involved 26 privacy enforcement authorities from around the world, up from 19 international participants during last year’s inaugural event. The growth of this year’s Sweep shows privacy enforcement authorities are more committed than ever to working together to promote privacy protection.

The GPEN initiative is aimed at encouraging organizations to comply with privacy legislation and to enhance co-operation between privacy enforcement authorities. It was not in itself an investigation, nor was it intended to conclusively identify compliance issues or legislative breaches. Concerns identified during the Sweep, however, will result in follow-up work such as outreach to organizations, deeper analysis of app privacy provisions and/or enforcement action.

Office of the Privacy Commissioner of Canada Sweep highlights:

  • 28 per cent of apps provided a clear explanation of their collection, use and disclosure of personal information policies.
  • More than a quarter of apps examined by the OPC (26%) offered either no privacy policy at all or one that left sweepers with serious concerns regarding how their information would be collected, used and disclosed.
  • Amongst the apps receiving top ratings were very popular apps in the e-marketplace, demonstrating that when properly explained to consumers, the collection of information does not negatively impact on downloads.

Global Sweep highlights:

  • Three-quarters of all apps examined requested one or more permissions, the most common of which included location, device ID, access to other accounts, camera and contacts. The proportion of apps requesting permissions and the potential sensitivity associated with the information highlight the need for apps to be more transparent.
  • For nearly one-third of the apps (31%), sweepers could not understand – after reading the app’s various privacy communications and given what they knew about the app’s function – why it needed access to certain information.
  • Some 43 per cent of apps did not tailor privacy communications to the small screen. Sweepers complained of small print and lengthy privacy policies that required scrolling or clicking through multiple pages. Best practices included using larger font, pop-ups, layered information and just-in-time notification to inform users of potential collections or uses of information when they were about to happen.

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

See also:

Blog post, Backgrounder, Ten Tips for Communicating Privacy Practices to Your App's Users

Wednesday, September 03, 2014

The US doesn't have a privacy law? Really? Verizon to pay $7.4 million over failure to notify consumers on privacy rights

At privacy gatherings, I often hear that Canada and the European Union have serious privacy laws, while the United States is somehow on the lawless fringe (other than sectoral laws like HIPAA). That's far from the case, as the Federal Trade Commission has taken a small portion of the Federal Trade Commission Act and 33 other statutory instruments to enforce a pretty broad privacy regime in the US. Case in point: Today's $7.4 million settlement with Verizon over the omission to include a privacy brochure in the with the first bills of 2 million customers. (See: Verizon to pay $7.4 million over failure to notify consumers on privacy rights | Reuters).

Tuesday, September 02, 2014

The celebrity photo leak/hack: lessons for securing devices and cloud accounts

Over the weekend, a deluge of intimate photos of celebrities appeared on the internet, first on 4Chan and then on Reddit (CBC report). Surely, they are other places now. What is unclear at the moment is how the images were obtained in the first place. There's been speculation that the photos came from the iCloud accounts that were either compromised by a brute-force password attack or even a suggestion that the WiFi at the Emmy Awards was somehow compromised. Other discussions online suggest that the photos have been traded for years among avid collectors. It will be very interesting -- from a privacy and security point of view -- to learn how it actually happened.

In the meantime, this serves as a reminder about what steps most people should take to secure their sensitive personal information on their devices and in the cloud.

Increasingly, people are carrying more and more sophisticated devices with onboard cameras that automatically sync data to remote servers. I am not at all interested in blaming the victims. Increasingly, people are taking photos from the most banal moments in their lives to the most intimate. Like it or not, it's simply a fact. While celebrity images are the most sought-out, images of ordinary people have been scraped from unsecured image hosting sites with traumatic results.

Most smartphones are mostly secure out of the box, and responsible vendors update vulnerabilities as they are discovered. However, they rely on humans who may not be as technically-minded as the first line of defence. All of these devices and services are protected by passwords. People tend to choose very weak, easily guessed passwords. That can be fixed. And people can take additional steps to protect their information.

  1. Try to learn the basics of how your device works, particularly about what is synchronised and backed up to online services; check your default settings;
  2. Secure your device with a PIN or password (How to: Android and iOs);
  3. Add encryption to your device, if possible (How to: Android);
  4. Add remote management to kill your device if it is lost (How to: Android (I also like Cerberus Anti Theft) and iOs);
  5. Use a strong password for all your accounts. The longer the better. (Read this XKCD comic. Read it, learn it, live it.)
  6. Consider a password manager like LastPass to generate complicated passwords for your accounts and to keep them safe. But protect your password vault with the most complicated and longest password you can reliably remember.
  7. Use two-factor authentication for your cloud accounts. While not particularly intuitive, two-factor authentication protects your account even if your password is compromised. This is critical. (How to: Google Accounts, DropBox, and most other places.) Any account to which you sync your personal images and video should be protected by two factor authentication.

With these measures in place, you're much more secure than most people. But there is no such thing as perfect security. Knowing that there are malevolent people out there looking for this kind of content and other sensitive personal information, the next question needs to be "am I satisfied that this is as secure as it needs to be in light of the nature of the information and the consequences of a 'leak'"?

UPDATE: According to TechCrunch, Apple's two-factor authentication DOES NOT PROTECT iCloud or Photostreams. This is a major shortcoming. I would recommend not using iCloud for anything personal or sensitive until Apple fixes this gaping omission.

Sunday, July 27, 2014

Ontario court to hear telcos' challenge of police request for "tower dumps" including info on 40,000+ customers

An Ontario court has agreed to hear a Charter challenge brought by Rogers and Telus in response to a police request for "tower dumps" with records on over 40,000 calls or customers. The police subsequently withdrew its request, but the judge has agreed to hear the case in any event, given the important privacy interests at stake.

The short recital of the facts is very interesting and suggests the initial production order is staggeringly broad, requiring the production of personal information about tens of thousands of people who had nothing to do with the crime being investigated: [8] Mobile telephones check into wireless networks by connecting to antennas that are frequently mounted on towers. A record is created whenever the telephone attempts or completes a communication which could be a phone call, text message or e-mail. The record identifies the particular tower at which the phone connected to the system. Each tower serves a geographical area ranging from a 10-25 km radius in the country and 1-2 km, radius (or even less) in the city. [9] The production orders against Rogers and Telus are in similar form. The orders require cell phone records for all phones activated, transmitting and receiving data through 21 specified Telus towers and 16 Rogers towers. The orders require the name and address of every subscriber making or attempting a communication and the particular cell tower being utilized. The orders are framed such that if both the person initiating and receiving the communication are Rogers (or Telus) subscribers, then information regarding the recipient must also be provided and the cell tower the recipient used must also be provided. The orders also require billing information which may include bank and credit card information.

[10] Telus and Rogers are both contractually obliged, subject to narrow exceptions, to keep customer personal information private and confidential.

[11] The existing order will require Telus to disclose the personal information of at least 9,000 individuals. Rogers estimates that it will be required to conduct 378 separate searches and retrieve approximately 200,000 records related to 34,000 subscribers.

[12] The existing orders do not specify how the customer information is to be safeguarded and does not restrict the purposes for which the PRP may use the information. For example the PRP is not restricted from retaining the information and using it with respect to unrelated investigations.

[13] The Telus affidavit indicates that since 2004 it has dealt with thousands of court orders requiring cell records. In 2013 alone, it responded to approximately 2,500 production orders and general warrants. To the knowledge of the Telus deponent, the order that it now challenges is the most extensive to date in terms of the number of cell tower locations, and length of time periods, for which customer information is required.

[14] The Rogers affidavit indicates that from 1985 to 2014 it has complied with many thousands of production orders. In 2013, alone it produced 13,800 “files” in response to production orders and search warrants.

The court also highlights that the privacy of millions of Canadians is implicated by the decision:

[41] With respect to the third criterion, sensitivity to the count’s proper law making function, there is effectively an ongoing dispute between the police and telecommunications providers. The fact the “tower dumps” are frequently used by police as an investigative tool is reflected in the material before me and is evident as a matter of judicial experience. The Rogers-Telus applications directly concern 40-50,000 individuals, it is safe to infer that the number of individuals affected across Canada would be in the hundreds of thousands, if not millions, every year.

See: R. v. Rogers Communications Partnership, 2014 ONSC 3853 and Telecoms’ charter case to be heard | The Chronicle Herald.

Thursday, July 10, 2014

Privacy Commissioner cautions insurers about the use of genetic testing

The Office of the Privacy Commissioner of Canada has today released a policy statement on genetic testing and the insurance industry. Essentially, the document says to tread carefully, but the subtext clearly is much more negative towards the practice.

From the media release:

News Release: Office of the Privacy Commissioner of Canada issues statement on the use of genetic test results by life and health insurance companies - July 10, 2014

OTTAWA, July 10, 2014 – The Office of the Privacy Commissioner of Canada is urging the life and health insurance industry to call on its members to refrain from asking applicants for access to existing genetic test results for the purposes of underwriting an insurance policy at this time.

“As science and technologies advance, protecting genetic privacy will become increasingly important and challenging,” says Privacy Commissioner Daniel Therrien.

“We are calling on the industry to refrain from asking for existing test results to assess insurance risk until the industry can clearly show that these tests are necessary and effective in assessing risk. This would allow people to undergo genetic testing for various purposes without fear that the results may have a negative impact if they apply for insurance.”

The step called for in the policy statement issued today would effectively expand the industry’s current voluntary moratorium on asking applicants to undergo genetic testing. The statement outlines the Office of the Privacy Commissioner’s position with respect to the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) to this practice.

The statement says: “It is not clear that the collection and use of genetic test results by insurance companies is demonstrably necessary, effective, proportionate or the least intrusive means of achieving the industry’s objectives at this time.”

The statement reflects the Office of the Privacy Commissioner’s ongoing work on the privacy implications associated with genetic information.

The issue has prompted the introduction of private members’ bills at both the federal and provincial levels, and the issue was mentioned in the most recent Speech from the Throne.

The Office of the Privacy Commissioner has provided the statement to the Canadian Life and Health Insurance Association.

The Commissioners of Alberta, British Columbia and Quebec – all provinces with substantially similar private-sector legislation – support the work done by the Office of the Privacy Commissioner of Canada. Insurance companies in those provinces will need to consider provincial legislation in addressing these issues.

For more information about the two research papers that contributed to this statement and the OPC’s strategic priorities, please see:

Tuesday, July 08, 2014

Catherine Tully appointed new FOIPOP Review Officer of Nova Scotia

The Nova Scotia government has just announced the appointment of the new FOIPOP Review Officer for Nova Scotia, Catherine Tully.

Here's the media release:

New FOIPOP Review Officer Appointed | novascotia.ca

New FOIPOP Review Officer Appointed

Department of Justice

July 8, 2014 1:07 PM

Catherine Tully of Ottawa has been appointed Nova Scotia's new freedom of information and protection of privacy review officer.

Ms. Tully will oversee how provincial and municipal governments, school boards, universities, community colleges and hospitals protect the privacy of Nova Scotians and respond to requests for access to information.

"This is an important oversight role," said acting Justice Minister Mark Furey. "Nova Scotians have a right to information held by government and they expect us to protect their private information. I'm very pleased we have a strong leader to fulfill this responsibility. Ms. Tully has tremendous leadership and practical experience to bring to this role."

Ms. Tully has over 10 years of senior experience with government agencies and Crown corporations dedicated to access to information and privacy law. She's been the assistant information and privacy commissioner for British Columbia and, most recently, was the director of privacy and access to information for Canada Post. Although she spent much of her work and educational career in Ontario and British Columbia, Ms. Tully completed a master's degree in international law and human rights at Dalhousie University.

"I look forward to working with public bodies and health custodians to help them find practical solutions to the tough access and privacy issues," said Ms. Tully. "For citizens, I will continue the work of ensuring that Nova Scotians have meaningful access to government information and real protection of their personal information.

"I am honoured by this appointment and look forward to my return to Nova Scotia to tackle the opportunities and challenges of review officer."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer accepts appeals from people and organizations who are not satisfied with the response they received from provincial government departments, most provincial agencies, boards and commissions, municipal government organizations and public bodies including community colleges, hospitals, universities, and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

Ms. Tully will begin Sept. 8.

Monday, June 23, 2014

The New Canadian Anti-SPAM Law and Your Business

This morning, I hosted an online webinar entitled The New Canadian Anti-SPAM Law and Your Business. We did it using Google's Hangout On Air feature that allows virtually unlimited numbers of people to attend live and it creates a handy YouTube video of the entire session for future reference.

You'll see from the presentation that I'm not a big fan of the law, but it's going to be the law on July 1, 2014 and businesses need to get their ducks in a row if they haven't already.

If you're looking for specific advice about compliance, feel free to contact me at david.fraser@mcinnescooper.com.


Wednesday, June 18, 2014

Henry v Bell Mobility: Another Federal Court case shows PIPEDA damages are hardly worth pursuing absent evidence of actual harm

The Federal Court, in the recently issued decision in Henry v Bell Mobility 2014 FC 555 (not yet on CanLII or the Court's site) has awarded a very modest sum of damages to a customer of Bell Mobility whose phone account was accessed by an impostor. At the hearing before the Federal Court, Bell did not contest liability so all the Court had to consider was the appropriate measure of damages. Nevertheless, the facts are relevant: An individual was able to convince a customer service representative employed by the mobile phone company to grant her access to the complainant's account. She was provided with general account information and the last seven numbers dialed. The impostor was also allowed to make changes to the account.

The claimant alleged that he suffered a lost business opportunity as a result of the impostor then contacting an intended business associate of the claimant. However, the claimant did not offer any compelling evidence to support this business opportunity. Instead of the compensatory damages of $35,500.00, punitive damages of $5,000.00, general damages of $5,000.00 and legal costs of $4,000.00, the Court awarded $2,500 in general damages plus $1,000 in costs. The complainant had argued that the Court should follow Chitraker v Bell, but the court was not convinced.

[26] Chitrakar is distinguishable from the current case in that here Bell Mobility has taken responsibility for the breach of Mr. Henry's privacy rights; it has put in place steps to better train CSRs; it has not in any way benefited from the breach; and, has acknowledged that Mr. Henry is entitled to damages in keeping with the jurisprudence of this Court. Bell Mobility argued that damages in the range of $1,500 - $2,000 was more than adequate to compensate Mr. Henry in these circumstances.

[27] Having considered all of the evidence and the jurisprudence and given the circumstances under which the woman cajoled the Bell representative to make the changes to the account and the breadth of the information disclosed it is my view that an award of $2,500.00 is appropriate. Mr. Henry was self-represented at trial although he had counsel on record assisting him earlier in the case. In all of the circumstances, costs in the amount of $1,000.00 will cover disbursements and legal costs.


Interestingly, there is no mention of Jones v Tsige; the court only discusses PIPEDA cases.

What's the moral of this story? Absent any actual, provable harm, PIPEDA damages are hardly worth pursuing.

Friday, June 13, 2014

R v Spencer: Supreme Court rules internet users have a reasonable expectation of privacy and anonymity online

[Note: this post is a work in progress, and will be updated as I digest the decision.]

This morning, the Supreme Court of Canada released its decision in R v Spencer, 2014 SCC 43.

The case, on appeal from the Saskatchewan Court of Appeal, has finally provided some certainty regarding the expectation of privacy that all Canadians enjoy in their online activities. All internet users expose their IP addresses to the sites they visit and the computers they connect to, but generally it is only the internet service provider who can connect that innocuous string of digits to a real identity.

In this case, the police had obtained information about an internet user from his internet service provider without a warrant. The police asked for it using a "PIPEDA request" and the ISP simply provided it, relying on a broad provision in PIPEDA which -- in its view -- permits certain disclosures to law enforcement.

I am still digesting the decision, but some very important conclusions from the case:

  • Internet users have a reasonable expectation of anonymity in their online activities

    Contrary to the views of most police agencies and the government of Canada, this information is not innocuous "phone book information" but "Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage."

  • A police request to the ISP for customer information amounts to a "search" for Charter purposes
  • The fact that an ISP may be able to disclose information pursuant to s. 7(3)(c.1) of PIPEDA or the terms of use is relevant to the expectation of privacy, but not determinative of it
  • The request by the police had no "lawful authority" since they had no authority to compel the production of the information

There has been much controversy surrounding the term "lawful authority" in PIPEDA, which permits an organization to disclose personal information without consent in connection with an investigation where the police have identified their "lawful authority" to obtain the information. The police have generally argued that an investigation is sufficient to satisfy that. The Court disagreed:

[62] Section 7(3)(c.1)(ii) allows for disclosure without consent to a government institution where that institution has identified its lawful authority to obtain the information. But the issue is whether there was such lawful authority which in turn depends in part on whether there was a reasonable expectation of privacy with respect to the subscriber information. PIPEDA thus cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.

[63] I am aware that I have reached a different result from that reached in similar circumstances by the Ontario Court of Appeal in Ward, where the court held that the provisions of PIPEDA were a factor which weighed against finding a reasonable expectation of privacy in subscriber information. This conclusion was based on two main considerations. The first was that an ISP has a legitimate interest in assisting in law enforcement relating to crimes committed using its services: para. 99. The second was the grave nature of child pornography offences, which made it reasonable to expect that an ISP would cooperate with a police investigation: paras. 102-3. While these considerations are certainly relevant from a policy perspective, they cannot override the clear statutory language of s. 7(3)(c.1)(ii) of PIPEDA, which permits disclosure only if a request is made by a government institution with “lawful authority” to request the disclosure. It is reasonable to expect that an organization bound by PIPEDA will respect its statutory obligations with respect to personal information. The Court of Appeal in Ward held that s. 7(3)(c.1)(ii) must be read in light of s. 5(3), which states that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. This rule of “reasonable disclosure” was used as a basis to invoke considerations such as allowing ISPs to cooperate with the police and preventing serious crimes in the interpretation of PIPEDA. Section 5(3) is a guiding principle that underpins the interpretation of the various provisions of PIPEDA. It does not allow for a departure from the clear requirement that a requesting government institution possess “lawful authority” and so does not resolve the essential circularity of using s. 7(3)(c.1)(ii) as a factor in determining whether a reasonable expectation of privacy exists.

[64] I also note with respect to an ISP’s legitimate interest in preventing crimes committed through its services that entirely different considerations may apply where an ISP itself detects illegal activity and of its own motion wishes to report this activity to the police. Such a situation falls under a separate, broader exemption in PIPEDA, namely s. 7(3)(d). The investigation in this case was begun as a police investigation and the disclosure of the subscriber information arose out of the request letter sent by the police to Shaw.

[65] The overall impression created by these terms is that disclosure at the request of the police would be made only where required or permitted by law. Such disclosure is only permitted by PIPEDA in accordance with the exception in s. 7, which in this case would require the requesting police to have “lawful authority” to request the disclosure. For reasons that I will set out in the next section, this request had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. I conclude that, if anything, the contractual provisions in this case support the existence of a reasonable expectation of privacy, since the Privacy Policy narrowly circumscribes Shaw’s right to disclose the personal information of subscribers.

[66] In my view, in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

Here is the headnote summary of the decision:

Constitutional law — Charter of Rights — Search and seizure — Privacy — Police having information that IP address used to access or download child pornography — Police asking Internet service provider to voluntarily provide name and address of subscriber assigned to IP address — Police using information to obtain search warrant for accused’s residence — Whether police conducted unconstitutional search by obtaining subscriber information matching IP address — Whether evidence obtained as a result should be excluded — Whether fault element of making child pornography available requires proof of positive facilitation — Criminal Code, R.S.C. 1985, c. C‑46, ss. 163.1(3), 163.1(4), 487.014(1) — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 7(3)(c.1)(ii) — Charter of Rights and Freedoms, s. 8.

The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store child pornography through an Internet file sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. The request was purportedly made pursuant to s. 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act (PIPEDA). This led them to the accused. He had downloaded child pornography into a folder that was accessible to other Internet users using the same file sharing program. He was charged and convicted at trial of possession of child pornography and acquitted on a charge of making it available. The Court of Appeal upheld the conviction, however set aside the acquittal on the making available charge and ordered a new trial.

Held: The appeal should be dismissed.

Whether there is a reasonable expectation of privacy in the totality of the circumstances is assessed by considering and weighing a large number of interrelated factors. The main dispute in this case turns on the subject matter of the search and whether the accused’s subjective expectation of privacy was reasonable. The two circumstances relevant to determining the reasonableness of his expectation of privacy in this case are the nature of the privacy interest at stake and the statutory and contractual framework governing the ISP’s disclosure of subscriber information.

When defining the subject matter of a search, courts have looked not only at the nature of the precise information sought, but also at the nature of the information that it reveals. In this case, the subject matter of the search was not simply a name and address of someone in a contractual relationship with the ISP. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage.

The nature of the privacy interest engaged by the state conduct turns on the privacy of the area or the thing being searched and the impact of the search on its target, not the legal or illegal nature of the items sought. In this case, the primary concern is with informational privacy. Informational privacy is often equated with secrecy or confidentiality, and also includes the related but wider notion of control over, access to and use of information. However, particularly important in the context of Internet usage is the understanding of privacy as anonymity. The identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. Subscriber information, by tending to link particular kinds of information to identifiable individuals may implicate privacy interests relating to an individual’s identity as the source, possessor or user of that information. Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure. In this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized in other circumstances as engaging significant privacy interests.

There is no doubt that the contractual and statutory framework may be relevant to, but not necessarily determinative of whether there is a reasonable expectation of privacy. In this case, the contractual and regulatory frameworks overlap and the relevant provisions provide little assistance in evaluating the reasonableness of the accused’s expectation of privacy. Section 7(3)(c.1)(ii) of PIPEDA cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. It would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent. The contractual provisions in this case support the existence of a reasonable expectation of privacy. The request by the police had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. In the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. Therefore, the request by the police that the ISP voluntarily disclose such information amounts to a search.

Whether the search in this case was lawful will be dependent on whether the search was authorized by law. Neither s. 487.014(1) of the Criminal Code, nor PIPEDA creates any police search and seizure powers. Section 487.014(1) is a declaratory provision that confirms the existing common law powers of police officers to make enquiries. PIPEDA is a statute whose purpose is to increase the protection of personal information. Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, the police do not gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information. The conduct of the search in this case therefore violated the Charter. Without the subscriber information obtained by the police, the warrant could not have been obtained. It follows that if that information is excluded from consideration as it must be because it was unconstitutionally obtained, there were not adequate grounds to sustain the issuance of the warrant and the search of the residence was therefore unlawful and violated the Charter.

The police, however, were acting by what they reasonably thought were lawful means to pursue an important law enforcement purpose. The nature of the police conduct in this case would not tend to bring the administration of justice into disrepute. While the impact of the Charter‑infringing conduct on the Charter protected interests of the accused weighs in favour of excluding the evidence, the offences here are serious. Society has a strong interest in the adjudication of the case and also in ensuring the justice system remains above reproach in its treatment of those charged with these serious offences. Balancing the three factors, the exclusion of the evidence rather than its admission would bring the administration of justice into disrepute. The admission of the evidence is therefore upheld.

There is no dispute that the accused in a prosecution under s. 163.1(3) of the Criminal Code must be proved to have had knowledge that the pornographic material was being made available. This does not require however, that the accused must knowingly, by some positive act, facilitate the availability of the material. The offence is complete once the accused knowingly makes pornography available to others. Given that wilful blindness was a live issue and that the trial judge’s error in holding that a positive act was required to meet the mens rea component of the making available offence resulted in his not considering the wilful blindness issue, the error could reasonably be thought to have had a bearing on the trial judge’s decision to acquit. The order for a new trial is affirmed.

For some background on "PIPEDA requests", check out the blog posts tagged with "PIPEDA requests".