Thursday, December 17, 2015

Nova Scotia's cyberbullying law declared to be unconstitutional and a "colossal failure"

Full disclosure: I was counsel to the applicant respondent in this case. (The party seeking to have the order set aside and to have the statute found to be unconstitutional.)

The Nova Scotia Supreme Court has just released its decision in Crouch v Snell, 2015 NSCC 340 (PDF).

In the decision, the Supreme Court of Nova Scotia has declared the province’s cyberbullying law to be unconstitutional, from start to finish. The law has been found to violate the Canadian Charter of Rights and Freedoms' guarantees of freedom of expression and “life, liberty and security of the person” rights, in a manner that cannot be upheld as a reasonable limit on those rights that can be justified in a free and democratic society. In short, the law is a dramatic failure.

The case related to two adults, former business partners, who had a falling out. Mr. Crouch sought and obtained an ex parte cybersafety protection order before a justice of the peace in December 2014. The respondent (I was his counsel) challenged the order and the legislation.

I have not been known as a fan of the Cyber-safety Act. I've blogged about it, written Op-Eds about it and I've called it a dumpster fire. It was passed unanimously by the Nova Scotia legislature in the immediate aftermath of the tragic death of Rehtaeh Parsons. In my view, it was created in haste in the immediate, emotional aftermath of the tragic death of a young woman who had been sexually assaulted and had photos of the assault circulated around the community. The government of the day -- which was heading for an election -- was not willing to throw the police and the prosecution service under the bus for no charges being laid, so instead created the appearance of doing something by creating and passing a very poorly executed law. In the process, they trampled on the Charter rights of all Nova Scotians and created a distraction from the important discussion about sexual assault and consent.

Among other things, the Act allows an alleged victim of cyberbullying to appear before a justice of the peace to obtain a cybersafety protection order. These orders can go so far as to result in the confiscation of electronic devices and being barred from using the internet. An alleged cyberbully never has any notice of this hearing and has no right to give his side before the order is made. In this case, the order of the justice of the peace even ordered the respondent to delete all of his social media postings that didn’t refer to anyone in particular, as they may have referred to the complainant.

The case mainly focused on two aspects: the definition of "cyberbullying" at the heart of the Act and the scheme that permits applications and orders without notice to the other side. The Court found the Act violates freedom of expression rights and cannot be saved. The definition is overbroad and encompasses a range of expression that is constitutionally protected:

[115] The Act restricts "any electronic communication through the use of technology ... that is intended or ought reasonably be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way". It is not difficult to come up with examples of expressive activity that falls within this definition, and at the same time promotes one of the core freedom of expression values. Moir J. did just that in Self, supra at para. 25:
A neighbour who calls to warn that smoke is coming from your upstairs windows causes fear. A lawyer who sends a demand letter by fax or e-mail causes intimidation. I expect Bob Dylan caused humiliation to P.F. Sloan when he released "Positively 4th Street", just as a local on-line newspaper causes humiliation when it reports that someone has been charged with a vile offence. Each is a cyberbully, according to the literal meaning of the definitions, no matter the good intentions of the neighbour, the just demand of the lawyer, or the truthfulness of Mr. Dylan or the newspaper.

[116] In conclusion, I find that the Act has both the purpose and effect of controlling or restricting freedom of expression.

Once any limitation on a Charter protected right is found, it can only be justified if (i) it is prescribed by law, (ii) it relates to a pressing and substantial objective, (iii) the impugned provision must be rationally connected to the objective, (iv) it must impair the Charter right "minimally" and (v) the effects must be proportional. In this case, remarkably, the Court found that it is not even "prescribed by law" as it is not sufficient intelligible:

[137] In this regard, I find that the Act provides no intelligible standard according to which Justices of the Peace and the judiciary must do their work. It does not provide sufficiently clear standards to avoid arbitrary and discriminatory applications. The Legislature has given a plenary discretion to do whatever seems best in a wide set of circumstances. There is no "limit prescribed by law" and the impugned provisions of the Act cannot be justified under s. 1. In the event I am wrong, I will perform the balance of the Oakes analysis.

The Court also found that the ex parte procedure is not rationally connected to the mischief to be addressed:

[156] ... Section 5(1) must be read as requiring protection order applications to be made without notice to the respondent. I also agree with the Respondent's submission that even if s. 5(1) did give applicants a choice in the matter, it would be a rare case indeed where an applicant would choose to give notice.

[157] Finally, with respect to the Attorney General's reliance on the various procedural safeguards set out in the Act, the reality is that while the respondent waits for the opportunity to be heard at a de novo hearing, his or her Charter-protected rights and freedoms will continue to be infringed upon. This will be on the basis of a proceeding that most likely occurred without notice to the respondent, and without the respondent having had an opportunity to be heard.

[158] I find the process set out in s. 5(1) of the Act is not rationally connected to the legislative objectives. The process does not specifically address a targeted mischief.

On "minimal impairment", the Court called the Act a "colossal failure":

[165] I need to consider all of the types of expression that may be caught in the net of the Cyber-safety Act, and determine whether the Act unnecessarily catches
material that has little or nothing to do with the prevention of cyberbullying: R. v. Sharpe, 2001 SCC 2, [2001] S.C.J. No. 3 at para. 95. In this regard, the Cyber-safety Act, and the definition of cyberbullying in particular, is a colossal failure. The Attorney General submits that the Act does not pertain to private communication between individuals, but rather, deals with "cyber messages or public communications". With respect, I find that the Act restricts both public and private communications. Furthermore, the Act provides no defences, and proof of harm is not required. These factors all culminate in a legislative scheme that infringes on s. 2(b) of the Charter much more than is necessary to meet the legislative objectives. The procedural safeguards, such as automatic review by this Court and the respondent's right to request a hearing, do nothing to address the fact that the definition of cyberbullying is far too broad, even if a requirement for malice was read in. Moir J.'s comments in Self supra at para. 25, are instructive:
The next thing to note is the absence of conditions or qualifications ordinarily part of the meaning of bullying. Truth does not appear to matter. Motive does not appear to matter. Repetition or continuation might ("repeated or with continuing effect") or might not ("typically") matter.

[166] In conclusion, the Cyber-safety Act fails the "minimum impairment" branch of the Oakes test.
Emphasis added

The Court also found that the Act fails on the final proportionality test:

[174] The Attorney General submits that the Act strikes an appropriate balance because it only restricts expression that is malicious, and therefore low-value. The
Respondent says this Court must instead balance an individual's right to express any sort of speech captured in the definition of "cyberbullying" against the objectives of the Act. The Respondent says the Act prevents an individual from telling the truth if it hurts another person's feelings or harms their self-esteem, and it does not provide any defences. The Act does not accommodate expression that relates to individual self-fulfillment, truth-finding or political discourse. The Respondent submits that the Act can therefore "limit speech that cuts to the core of Charter values". The Respondent distinguishes Lucas on the basis that the libel provisions in the Criminal Code were upheld because they prohibit only falsehoods that are known by the defendant to be false.

[175] It is clear that many types of expression that go to the core of freedom of expression values might be caught in the definition of cyberbullying. These deleterious effects have not been outweighed by the presumed salutary effects.

In the end, the Court found that the Cyber-safety Act offends sections 2(b) and 7 of the Charter and cannot be justified.

Interestingly, the Attorney General asked that if the Act were declared to be unconstitutional, the Court should suspend the declaration of invalidity so that the legislature could go back to the drawing board. In court, we agreed that it could be suspended with respect to anyone but my client. The Court declared the entire Act to be unconstitutional but refused to suspend the order:

[220] Both parties confined their submissions to the definition of cyberbullying and Part I of the Act. I have identified a number of problems with both components. The remaining parts of the Act cannot survive on their own. They are inextricably connected to the offending provisions, in particular the definition of cyberbullying. Severance would not be appropriate. The Act being over-inclusive rather than underinclusive, reading in also would not be an appropriate remedy. I have already explained why reading in a requirement for malice is not, in my view, appropriate or sufficient. The Act must be struck down in its entirety. The Attorney General has not persuaded me that a temporary suspension is warranted. To temporarily suspend the declaration of validity would be to condone further infringements of Charter protected rights and freedoms. Further, the fact that the Act was enacted to fill a "gap" in the legislation does not mean that victims of cyberbullying will be completely without redress in the time it takes to enact new cyberbullying legislation. They will have the usual albeit imperfect civil and criminal avenues available to them.
Emphasis added

So far, the government of Nova Scotia has not commented on the case and it remains to be seen whether they will appeal the case or go back to the drawing board, or both.

If they do go back to the drawing board, I really hope they will do it with very careful deliberation and full consultation with experts. But if nothing else, they have a good example of how not to do it.

Thursday, December 10, 2015

Privacy Commissioner tables annual report on privacy in the federal government

The Privacy Commissioner of Canada has just tabled his Annual Report on the Privacy Act to Parliament for 2014-2015. The Privacy Act regulates how the federal government and its agencies can collect, use and disclose personal information. The full report is here: Annual Report to Parliament 2014-15 - Protecting personal information and public trust - Report on the Privacy Act.

The highlight of the Annual Report is an audit across government departments regarding the use of portable storage devices. Some might find it ironic, since the Office of the Privacy Commissioner recently lost a portable storage device containing personal information of its employees.

Here's the media release prepared by the Commissioner:

Federal government needs to do more to guard against breaches and privacy violations: Privacy Commissioner

2014-2015 Privacy Act Annual Report to Parliament highlights results of an audit of the government’s management of portable storage devices and reported data breaches

GATINEAU, QC, December 10, 2015 – The Privacy Commissioner of Canada is urging federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.

This call comes as the Commissioner’s 2014-15 Annual Report on the Privacy Act was tabled today in Parliament, highlighting a record-high number of federal government data breaches reported to his Office and the results of an audit of the government’s management of portable storage devices.

“Many institutions have made some strides to better protect personal information,” says Commissioner Daniel Therrien. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”

Federal institutions reported 256 data breaches in 2014-2015, up from 228 breaches reported the year before—which itself was double the number reported a year earlier. As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures.

Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.

“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”

The annual report includes details of a recently completed audit which found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.

The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.

Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable. But it is those attributes that also create significant privacy and security risks.

“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” says Commissioner Therrien.

The audit was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.

The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:

  • More than two-thirds (70%) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
  • More than 90% did not track all portable storage devices throughout their lifecycle.
  • More than 85% did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
  • One-quarter did not enforce the use of encrypted USB storage devices.
  • Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55%) had not assessed the risk to personal information resulting from the absence of such controls.

There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.

The audited institutions have accepted all recommendations made in the audit.

“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” says Commissioner Therrien. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.