Friday, October 20, 2017

CRTC finds CASL to be constitutional in CompuFinder challenge

On October 19, 2017, the CRTC issued its decision in a constitutional challenge to CASL brought by CompuFinder. You may recall that in 2015, the CRTC levied the largest penalty to date -- $1.1 million -- against CompuFinder. (My previous blog post.) The company challenged the constitutionality of the legislation, primarily on the grounds that it is ultra vires federal jurisdiction (outside of powers granted to the federal parliament under the constitution) and that it violated s. 2(b) of the Charter and could not be saved by s. 1.

For the non-lawyers out there, a law can violate Charter rights but can still be upheld if the infringement is justifiable using s. 1:

1. The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.

The framework for s. 1 analysis set by the Supreme Court requires all of the following to be met for a limitation on a constitutionally-guaranteed right to be upheld:

1. The limit must be prescribed by law

2. There must be a pressing and substantial objective

3. The means must be proportional
a. The means must be rationally connected to the objective

b. There must be minimal impairment of rights

c. There must be proportionality between the infringement and objective

In my personal view, the decision is incorrect in a number of ways. I think the Commission suffered the same issue that plagues much of the discussion of CASL: the use of the word "spam" in its colloquial sense when the focus really needs to be on what the law really regulates: commercial electronic messages. It is comparing apples to oranges, and statistics like "spam is down in Canada" is only slightly useful in the discussion.

I think the Commission was dramatically wrong in finding that there was a minimal impairment of constitutional rights. This generally asks whether the restriction unduly limits speech or expression that is outside of the scope of the "pressing and substantial objective."

In its decision (Compliance and Enforcement Decision CRTC 2017-367 | CRTC), the CRTC agreed with the government regarding the law's objective:

108. The government’s objective in enacting CASL is revealed within the title of the Act: “to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities….”

109. The Act is clearly focused on e-commerce in Canada as a whole. This is expanded on in the objective clause of the Act (section 3).

110. In the Commission’s view, it is clear that the government’s objective is pressing and substantial. The factual evidence put forward by the Attorney General is detailed and convincingly supports this conclusion. There is an abundance of literature, analyses, reports, and statistical evidence that demonstrate the existence of spam and other electronic threats, the impact that they have on Canadian businesses and consumers, and how countries around the world have been compelled to introduce legislation to address these threats.


Note again the use of the word "spam". The law regulates and generally prohibits "commercial electronic message" and its main defect -- in my view -- is that it goes after "spam" by limiting legitimate expression that is not "spam" and that has little if anything to do with harming confidence in electronic commerce.

However, the Commission did not follow CompuFinder's argument that the law is not minimally impairing.

152. CompuFinder’s argument at this stage is essentially that CASL’s CEM prohibition regime is overbroad, capturing more forms of expression than are necessary to achieve the statute’s purpose.

153. The Attorney General did not directly respond to each specific allegation of the law’s overreach. Instead, its main response to the overbreadth arguments raised by CompuFinder is that the Act does not impose a total ban on the sending of CEMs. Persons wishing to send commercial messages are not barred from using the Internet or email to advertise. In addition, the exceptions and exemptions to the general prohibition contained in section 6 of CASL act as levers that further limit the infringement of freedom of expression.

154. The Commission notes that, as indicated by the Supreme Court in JTI-Macdonald Corp., when interpreting these exceptions and exemptions, specific words should not be considered in isolation; rather, the interpretation must be guided by Parliament’s objective and its global intention sought.

155. In the case of CASL, Parliament’s concern was to combat a multitude of electronic threats that could have deleterious effects on Canada’s e-economy, Canadian businesses, and Canadian Internet users. In pursuing its objectives, Parliament has deliberately narrowed, and empowered the Governor in Council to make regulations narrowing, the applicability of the Act to certain commercial activities (as defined in subsection 1(1) of the Act), and enacted a long series of exceptions, exclusions, and limitations to the application of prohibitions on the sending of CEMs.

156. Examples of these exceptions can be found in subsections 6(5) and 6(6) of CASL and in the provisions regarding excluded messages in section 3 of the Governor in Council regulations. As a result of these and other exceptions and exemptions, the prohibition in section 6 of CASL does not apply to numerous types of CEMs, including those sent by or on behalf of an individual who has a personal or family relationship with the recipient, those consisting of an inquiry relating to a commercial activity engaged in by the recipient, certain notice-giving or transactional messages, and certain intra-organizational and inter-organizational messages.

157. Further, given that, in cases of ambiguity, claims of overbreadth may be resolved by appropriate interpretation, where the application of these exceptions and exclusions are potentially ambiguous, and such ambiguity could potentially lead to overbreadth of the provisions in question, they must be interpreted in the manner that would result in the least possible intrusion upon protected expression, while also respecting the intention of Parliament.

158. Accordingly, the Commission agrees with the Attorney General that the expression limited by CASL is substantially lessened as a result of its exceptions and exemptions. These exceptions, when taken as a whole, significantly narrow the application of section 6 and, as a result, on a balance of probabilities, the impugned provisions do not impair free expression more than necessary to achieve the objectives of CASL. In these circumstances, the limitations on the sending of CEMs, are not unreasonable in light of their legislative purpose.

I disagree with this overall, but I am particularly concerned with what the Commission said in paragraph 157. It essentially said that the law can be made constitutional in some cases by erring on the side of a constitutional interpretation in the event of any ambiguity. That essentially says that the law can remain constitutional because the CRTC enforcement folks can interpret in a manner that scales back its overbreadth. I don't think I know anyone who practices in this area who thinks that the CRTC enforcement folks can be counted on to do that.

I remain of the view that CASL is overbroad and unduly limits protected expression that has nothing to do with protecting consumer confidence in e-commerce. The Commission's decision doesn't change my mind on that at all, and it will be interesting to see if this particular case goes any further.

Thursday, October 19, 2017

My comments on Nova Scotia's Intimate Images and Cyber-protection Act

Note: Because of very short notice, I will not be able to appear at the Nova Scotia Legislature's Law Amendments Committee to provide my views on Nova Scotia's new cyberbullying law. Here are my written comments that will be sent to the Committee for their consideration.

Thank you for the opportunity to provide my views on Bill 27, the Intimate Images and Cyber-protection Act.


I am a lawyer with McInnes Cooper whose practice is focused on internet and privacy law matters. I need to emphasise from the outset that these are my own personal and professional comments, and do not necessarily represent the views of my firm, its clients or any other organizations with which I am associated. I have been practicing in this area of law for over fifteen years. In this context, I am perhaps best known as being a vocal critic of the Cyber-Safety Act and being the lawyer who argued in Court that the old Act was unconstitutional.


If I could first comment on a matter of process, I am disappointed that I am not able to appear before the committee and answer any questions you may have. When this bill was first considered on October 16, 2017, I had less than one business day’s notice of the hearing and was out of town. I was advised on Thursday, October 19 that it would be before the committee on Monday, October 23. That’s one and a half day’s notice and I will be out of town on Monday. If the government were serious about getting this right, surely it would make it easier for experts to appear on the Bill. I am sure the Committee would benefit from testimony from Canadian Civil Liberties Association or the Canadian Bar Association, but these organizations can’t just drop tools, consult with their stakeholders and develop a coherent and helpful position with that kind of notice. I can name  at least five people who have immense expertise in the field of civil rights, cyberbullying, restorative justice and youth suicide who this Committee and Nova Scotians should hear from, but none will have a chance to provide their well-informed and expert views. I do not know if this is peculiar to this bill, but it certainly was the case with the original Cyber-Safety Act and Nova Scotians have suffered as a result.


In the meantime, the government has had a number of targeted consultations. I did meet with Justice officials twice to provide my views, with the final meeting commenting on a draft of the bill. I had some misgivings then which I’ll share with you today.


As I mentioned, I was the lawyer in the case that resulted in the Cyber-Safety Act being declared unconstitutional. I was previously very critical of the law and the former Premier said he “could not disagree with me more”. When that quote was posted by the CBC on their website, that cyberbullied me according to the law’s definition.


While the law was declared unconstitutional on December 10, 2015, it was unconstitutional on the day it was introduced on April 25, 2013, fewer than three weeks after the tragic death of Rehtaeh Parsons.


I stood up in court and called the Cyber-Safety Act a “dumpster fire”. Justice McDougall called it, much more politely, a “colossal failure” as far as the Charter is concerned.  


I argued, and the Court agreed, that the law had two principal failures. The first was that the definition of “cyberbullying” was far, far too broad and would include anything that could hurt someone’s feelings (including legitimate, political speech). The second failure was that a complainant could get a protection order without the alleged cyberbullying ever having an opportunity to defend themselves. The justice of the peace would make a decision on the basis of only hearing one side of the case. And the first that the respondent would hear of it would be when a police officer would show up at their house -- usually at night -- and serve them with the order.


I think both of these issues have been addressed in the new Bill. The definition of “cyberbullying” raises the bar much, much higher. It may be too high, by requiring “malice”, but it does capture communications that are intended to harm the victim. The issue of procedural fairness has certainly been addressed, but I am afraid the pendulum may have swung too far the other way.


The way the Bill sets it out, a victim of cyberbullying has only one option: to commence an application in the Supreme Court of Nova Scotia following the Nova Scotia Civil Procedure Rules. I have 100% confidence in the fairness of a judge of the Supreme Court. But forcing a victim of cyberbullying to start a conventional lawsuit will represent a huge barrier to access to justice.


What I am saying is completely contrary to my own pecuniary self interests. I am a lawyer who practices law in this area. My law partners much prefer that I charge clients for my time and for my services. We have a great pro bono program -- I think it’s one of the best in the country of any law firm that I am familiar with -- but I am not able to take the cases of all victims of cyberbullying. Going to the Supreme Court requires that a victim understand and follow Civil Procedure Rules. They’ll have to read and understand Rules 5, 4, 5, and 6. They have to prepare a notice of application in court and an affidavit, all according to the rules. They’ll have to hire a process server to serve the documents on the respondent. They likely have to be in court across from their tormentor to schedule the next steps and the court hearing. They get a written affidavit from the respondent. They can then maybe file another response affidavit. They can maybe cross-examine the respondent outside of Court, assuming they are in a position to pay a court reporting service to transcribe the cross-examination on an expedited basis. Then they have to file their brief. And then they have their day in Court, except they never get to directly tell a judge their story. They don’t get to testify on their own behalf, since their testimony is only in their affidavit.


I would expect it would cost at least $10,000 for me to represent an applicant in this process. That is daunting. But what’s equally daunting is the prospect of a traumatized cyberbullying victim having to find, let alone understand and precisely follow, the civil procedure rules. That greatly troubles me and I think it should trouble you.


The legislature should seriously consider a different approach. I do not think I have all the answers, but I would suggest that the legislature should consider a less formal approach that still preserves the procedural fairness that was lacking in the old Cyber-safety Act. While the procedure for a peace bond is not without its shortcomings, there should be a procedure through which an applicant can go to court and tell their story. The respondent has the same right to know what is being alleged, to appear, to present their story and possible justification. If neither adduced evidence about some of the essential factors to be considered under the Act, the judge can ask them questions. And a decision follows. This can be before the Supreme Court of Nova Scotia or a judge of the Provincial Court.
I do agree with sidelining the CyberSCAN unit from enforcement of the law. In my experience and in my opinion, they were the wrong tool for the job. While perhaps not representative of all the people with whom they interacted, I consistently heard from and about people whose political or legitimate Charter-protected speech was removed from the internet because they bullied the people into removing it under threat of unspecified “legal action” that could include removing their internet access. It may have been a matter of who they hired for the role or how they were led, but the CyberSCAN unit was part and parcel of the speech suppression that the law represented. When I asked Roger Merrick how the CyberSCAN unit took the Charter into account in doing their jobs, I was told that the legislature took it into account when the bill was passed by this House. That was clearly incorrect.


I do think the CyberSCAN unit or some replacement of it could go good things. Education and awareness is important. Providing support to victims is important. I am sure that victims will need a lot of help in figuring out how to have their day in court, and they can be a resource for that.

One final concern that I have is that the legislation says that if the victim is a minor, their parent or guardian has to commence the application on their behalf. There should be a mechanism by which a minor can do this on their own. First of all, there may be a case where the case relates to intimate images and the minor does not want to tell their parents. Secondly, I can imagine a scenario where the parent is either the perpetrator or is unwilling to help the child. Some safeguard needs to be in place to give a child direct access to the courts.


I do want to take the opportunity to praise the manner in which the non-consensual distribution of intimate images is treated in the statute. By separating this from the definition of cyberbullying, it will effectively shield this from being struck down if the conventional cyberbullying aspect is found to be unconstitutional.


Again, I regret that there was not enough notice for me to appear in person and answer any questions by the Committee. However, I am easy to find and I would be pleased to discuss this important matter with any Committee members or their staffers.

Wednesday, October 11, 2017

Nova Scotia introduces new "secure" ID and licenses; fails to mention use of biometrics

The Government of Nova Scotia just announced that it is introducing new "secure" provincial ID cards and drivers licenses.

What they failed to mention in any of their press releases or in any of the media coverage is that the new system will incorporate facial recognition technology. How this will be used or controlled is still unclear.

I contacted the province, which confirmed the use of facial recognition, but was unable to provide me with any information about the incidence of forgery and fraud that they use to justify the new licenses.

Privacy geeks will recall that the provincial authority in British Columbia offered police the use of their massive biometric database to identify people involved in the Vancouver Stanley Cup riot. (Canadian Privacy Law Blog: ICBC offers up its drivers' license database (with facial recognition) to ID Vancouver rioters) Who controls the database and how it will be used is very important, and very unclear at the moment.

Added later: See below for some follow-up questions and answers.

Here's their media release:

New Secure Driver’s Licence and Photo ID Cards

Transportation and Infrastructure Renewal/Service Nova Scotia

October 10, 2017 12:44 PM

Nova Scotia driver’s licence and photo ID cards will soon be better protected against identity theft, fraud and forgery.

Nova Scotia and the three other Atlantic provinces, are introducing a new, highly secure driver’s licence and photo ID card. Starting in November, the cards will be printed at a central facility shared by all four provinces and mailed to clients within 14 days.

“The main reason for this change is to protect Nova Scotians against identity theft and fraud,” said Lloyd Hines, Minister of Transportation and Infrastructure Renewal. “These changes will help us keep pace with the latest security and technology advances, and bring us in line with the rest of the country.”

Nova Scotians do not need to get a new licence or photo ID card until their current one is up for renewal. Since the cards will no longer be printed at Access Nova Scotia Centres and Registry of Motor Vehicles offices, clients renewing their licence will be given a 30-day temporary document to use until their new licence arrives.

There will be a strict review process before cards are issued to help prevent fraud and identify theft. Highly advanced, anti-counterfeiting security features will also help ensure they cannot be copied using new printing technologies.

"As Nova Scotia's provincial police, the RCMP is pleased to see any initiative that decreases opportunities for fraudulent activity," says Chief Superintendent Marlene Snowman, Nova Scotia RCMP Criminal Operations Officer. "Police officers often rely on the validity of licence information for a variety of reasons so these changes will make a positive difference for frontline officers across the province."

Access Nova Scotia will start to move to the new process for driver’s licences and photo ID cards next month with full implementation expected to be in place by the end of December.

In December 2016, the four Atlantic provinces awarded Gemalto, a world leader in digital security, a five-year contract to produce and mail the driver's licences and photo ID cards.

There is no fee increase for the new driver’s licence and photo ID card. The new cards will be implemented over the next five years as driver’s licences expire.

Edit: I asked the government some follow-up questions and the Q/A is below ...

For more information, visit www.novascotia.ca/driverslicence .


Edit: I had some follow-up questions for the government's spokesperson. Here are my questions and the answers:

The new IDs will bring NS in line with the cutting edge of security features. That being said, protecting the privacy of citizens remains a top priority. The sole purpose of the facial recognition is to help identify individuals attempting to obtain fraudulent duplicate IDs. The province has no authority to share it for any other purpose, with any other entity, unless ordered by the courts. To your specific questions:


1. Will the biometric database be managed by the contractor or by the government? Government

2. If by the government, which department? Transportation and Infrastructure Renewal and Service Nova Scotia.

3. Will the database for NS be combined with those of the other provinces? No

4. Was a privacy impact assessment carried out? If so, by whom? Was it reviewed by the Information and Privacy Commissioner? Yes, the PIA was conducted by Nicom IT and IAP Services (at the department of Internal Services) has participated in the process, reviewed and recommended for approval, also as per their usual practice. It will be provided to the Commissioner for their records.

5. Are there any policies in place or being developed for access to or use of the database, other than administration of the license/ID card system? No.

6. Will any contents of the database be provided to any other government and under what circumstances? No.

7. Will faces in the database be matched to any other database? No.

Friday, October 06, 2017

Nova Scotia introduces new anti-cyberbullying bill

On October 5, 2017, the Nova Scotia Liberal government introduced a new bill to replace the former Cyber-safety Act, which was struck down as unconstitutional (a "colossal failure", said the judge). The Intimate Images and Cyber-protection Act is the result of a serious re-think of all the defects found in the Cyber-safety Act.

Some important differences:

1. The bill has a much more narrow definition of "cyberbullying". The previous law would have considered anything done online that could hurt your feelings to be cyberbullying. In this version, the alleged cyberbully has to maliciously intend to cause harm or has to be reckless with regard to the risk.

(c) "cyber-bullying" means an electronic communication, direct or indirect, that causes or is likely to cause harm to another individual's health or well-being where the person responsible for the communication maliciously intended to cause harm to another individual's health or well-being or was reckless with regard to the risk of harm to another individual's health or well-being, and may include

(i) creating a web page, blog or profile in which the creator assumes the identity of another person,

(ii) impersonating another person as the author of content or a message,

(iii) disclosure of sensitive personal facts or breach of confidence,

(iv) threats, intimidation or menacing conduct,

(v) communications that are grossly offensive, indecent, or obscene,

(vi) communications that are harassment,

(vii) making a false allegation,

(viii) communications that incite or encourage another person to commit suicide,

(ix) communications that denigrate another person because of any prohibited ground of discrimination listed in Section 5 of the Human Rights Act, or

(x) communications that incite or encourage another person to do any of the foregoing;




2. Applications are no longer ex parte. The accused cyberbully has to be given notice of the application and is given an opportunity to appear and respond to the allegations. This fixes the Charter s. 7 defect in the old law.

3. There are a range of defences available. One defect identified in the old Cyber-safety Act was that there were no defences available to an allegation of cyberbullying. In the new bill, there are a few that are intended to protect freedom of expression:

7(2) In an application for an order respecting cyber-bullying under this Act, it is a defence for the respondent to show that

(a) the victim of the cyber-bullying expressly or by implication consented to the making of the communication;

(b) the publication of a communication was, in accordance with the rules of law relating to defamation,

(i) fair comment on a matter of public interest,

(ii) done in a manner consistent with principles of responsible journalism, or

(iii) privileged;


(c) where the respondent is a peace officer acting in the course of the peace officer's duties, that the communication was necessary to prevent a crime or discover, investigate or prosecute the perpetrators of a crime and did not extend beyond what was necessary;

(d) where the respondent is a public officer acting in the course of the duties of the public officer's office, that the communication was necessary to fulfil the duties of that office and did not extend beyond what was necessary.



4. The bill addresses the non-consensual distribution of intimate images separately, which is a good thing. The language for this is essentially drawn from Criminal Code offence of distributing an intimate image without consent, but this bill provides civil remedies including an order for removal.

5. The CyberSCAN unit has no role in enforcement. I heard about a number of instances where the CyberSCAN unit itself bullied people to remove political content, so taking away their ability to do that is a good thing. The downside is that individuals don't have a publicly-funded organization that they can look to for legal remedies.

6. The remedies are all self-help. Applications for orders and damages go only to the Supreme Court of Nova Scotia, using the usual processes for applications under the complicated civil procedure rules. This will lead to self-represented litigants getting lost in the civil justice system or having to hire lawyers. I think I would have preferred a simplified process, similar to a peace bond, in the Nova Scotia Provincial Court.

7. Orders to prevent the identification of victims are virtually automatic. A publication ban to protect the identity of the complainant is automatic if the applicant is a minor and will automatically be granted on request to an applicant related to an intimate images proceeding. This is a good thing, as putting discretion in the hands of the court would discourage applicants from coming forward. They can proceed knowing their identity is protected and they will not be re-victimized by the court process.

8. The bill seems to anticipate possible diversion to restorative justice. How this will play out is anyone's guess, but it makes sense to encourage diversion where appropriate.

I expect I'll have more comments on it as I fully digest it, but these are the principal differences between the old and the new.

The government appears to be planning to spend the next few months consulting publicly, with the bill slated to pass in the spring of 2018.

Friday, September 01, 2017

Canadian breach notification requirements finally published for comment

The Digital Privacy Act amended the Personal Information Protection and Electronic Documents Act (Canada) to add notification requirements for "breaches of security safeguards", but we've all been anxiously awaiting regulations that will breathe life into the provisions. Finally, the'll be published in the Canada Gazette tomorrow.

The text (below) and the Regulatory Impact Analysis Statement do not really contain any surprises, other than a silly requirement that you can only give notice of a breach by email if "the affected individual has consented to receiving information from the organization in that manner." This seems to be a silly nod to Canada's asinine anti-spam law, which would otherwise permit such notices by email.

Here is the regulatory impact analysis statement. You can get the proposed regulation from the Canada Gazette publication:

Canada Gazette Part I, Vol. 151, No. 35 — September 2, 2017 - Breach of Security Safeguards Regulations

Statutory authority

Personal Information Protection and Electronic Documents Act

Sponsoring department

Department of Industry

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Issues

On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA or the Act), in a number of areas. A key change was the establishment of mandatory data breach reporting requirements.

These new provisions are set out in Division 1.1 of PIPEDA, but are not yet in force. The proposed Regulations provide further details pertaining to certain statutory requirements, and prescribe the process for the coming into force of the Regulations.

Background

Legislative framework

PIPEDA applies to the collection, use or disclosure of personal information by every organization in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or fundraising lists.

The federal government may exempt from PIPEDA organizations and/or activities in provinces that have adopted substantially similar privacy legislation. To date, Quebec, British Columbia and Alberta have adopted private sector legislation deemed substantially similar to PIPEDA. Further, Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have adopted substantially similar legislation with respect to personal health information.

Even in those provinces that have adopted legislation substantially similar to the federal privacy legislation, PIPEDA continues to apply to all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

PIPEDA also continues to apply in those provinces to federally regulated organizations — “federal works, undertakings or businesses” — such as banks, and telecommunications and transportation companies.

The purpose of PIPEDA is to facilitate growth in electronic commerce through increasing the confidence of Canadians and businesses in the digital economy. The Act employs a principles-based approach that balances the privacy rights of individuals with the legitimate needs of business to use or exchange information.

Mandatory data breach reporting under PIPEDA

With the implementation of Division 1.1 of PIPEDA, organizations that experience a data breach — referred to in the Act as a “breach of security safeguards” — will have certain obligations, as follows:

  • The organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
  • When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible;
  • The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
  • The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.

Subsection 26(1)(c) of PIPEDA provides the Governor in Council with the authority to make any regulations that are required under the Act. The objective of this regulatory proposal is to provide greater certainty and specificity with respect to certain elements of the Act’s data breach reporting requirements under Division 1.1.

Objectives

The objectives of the proposed Regulations are to

Ensure that all Canadians will receive consistent information about data breaches that pose a risk of significant harm to them.

Ensure that data breach notifications contain sufficient information to enable individuals to understand the significance and potential impact of the breach.

Ensure that the Commissioner receives consistent and comparable information about data breaches that pose a risk of significant harm.

Ensure that the Commissioner is able to provide effective oversight and verify that organizations are complying with the requirements to notify affected individuals of a data breach and to report the breach to the Commissioner.

Description and rationale

With regard to the statutory requirements for data breach reporting under Division 1.1 of PIPEDA, the proposed Regulations will

  • specify the minimum requirements for providing a data breach report to the Commissioner;
  • specify the minimum requirements for notifying affected individuals of a data breach; and
  • confirm the scope and retention period for data breach record-keeping.

Recognizing the vast range of organizations that are subject to PIPEDA, the proposed Regulations are designed to provide maximum flexibility for organizations to fulfill their statutory obligations in a manner that is compatible with their particular circumstances.

Data breach report to the Commissioner

The proposed Regulations list the categories of information that must be contained in a report to the Commissioner, but do not preclude additional information from being provided by the organization, should it believe that the information is pertinent to the Commissioner’s understanding of the incident.

The proposal aligns closely with what is currently recommended in guidance by the Office of the Privacy Commissioner of Canada (OPC) for voluntary data breach reporting, and with what is required for mandatory breach reporting in Alberta (see footnote 1) and in the European Union. (see footnote 2)

The proposed Regulations allow for data breach reports to be submitted with the best information available to the reporting organization at the time. This allows an organization to report breaches within an appropriate time frame, even when all information is not yet available. In these cases, organizations may provide updates to the report at a later date, if further pertinent information becomes available.

Notifying affected individuals of a data breach

The proposed Regulations also list the categories of information that must be contained in a notification to affected individuals. However, organizations are not precluded from providing additional information or designing the notice to suit the intended audience.

This approach provides some certainty to organizations as to what is required as a minimum to comply with the statutory requirements for notification. At the same time, it provides flexibility on the format, design and means of notification. This allows organizations to conduct notifications in line with established practices and expectations of their stakeholders.

The proposed Regulations identify certain commonly used forms of communication as appropriate means of direct notification to individuals, with some caveats to ensure that prompt and secure communication of the information takes place. The proposal also recognizes that notification by other unspecified means of communication may also be appropriate, if they are considered to be secure and prompt, and have been established by the organization as a means of communicating important information to the intended audience.

Circumstances where indirect notification to affected individuals would be permitted, in place of direct notification, have been listed in the proposed Regulations. These circumstances are generally considered by stakeholders to be situations where direct notification to all individuals affected by a breach may be impossible or unfeasible for the breached organization, or where direct notification may not be in the best interest of the individuals themselves. The proposed Regulations also confirm that public announcements or advertisements can be considered as appropriate for indirect notifications. Additional requirements for the use of these communication channels are prescribed to increase the probability that affected individuals will receive the information.

Data breach record-keeping

The proposed Regulations will affirm that the purpose of data breach record-keeping is to facilitate oversight by the Commissioner to ensure compliance with the requirements to report to the Commissioner and notify affected individuals of significant breaches. This in turn will encourage better data security practices by the organizations.

To this end, the proposed Regulations will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information. The proposal allows for a broad interpretation of what information would constitute a “record” for the purpose of PIPEDA.

This approach provides protection for any material, regardless of medium or form, that may be provided to the Commissioner in response to a request for data breach records. By not enumerating what constitutes a record in regulations, the Access to Information Act exemption in PIPEDA may be extended to whatever is considered a breach record for the purpose of the Act.

The proposed Regulations specify that organizations must hold data breach records for a minimum period of time; specifically 24 months. This allows the Commissioner to request and review the history of breaches experienced by a particular organization within a two-year window. The proposed time frame reflects the standard practice in most provinces for limitations on initiating civil litigation. It is intended to be a minimum requirement, providing for the retention of data breach records for longer than two years, if an organization’s other obligations, practices or requirements so dictate.

For greater certainty, the proposed Regulations clarify that a data breach report provided to the Commissioner under subsection 10.1(1) of PIPEDA can also be considered a data breach record.

Coming into force

To facilitate compliance with the new data breach reporting regime under PIPEDA, the proposed Regulations provide for implementation at the same time as the related statutory requirements under Division 1.1 of PIPEDA, and allow for a lag period between the publication of final Regulations and their coming into force.

Impacts

Businesses

All organizations subject to PIPEDA will be impacted by the proposed Regulations. However, many will have already implemented data breach reporting practices that align with the proposal, given that it reflects existing best practices established by the OPC and legislative requirements in Alberta.

For those organizations that do not have established processes and procedures for tracking data breaches and reporting accordingly, the proposed Regulations provide for a delayed coming into force date after the publication of the final Regulations.

Consumers

The Canadian marketplace will see a positive impact of the proposed Regulations. Consumers will have the assurance that when they are affected by a data breach posing a risk of significant harm, they will receive the right information in an appropriate manner, regardless of where the breach occurred.

Office of the Privacy Commissioner of Canada

The responsibility for overseeing compliance with PIPEDA rests with the Commissioner. As part of its oversight of data breach reporting requirements under the Act, the OPC will receive reports on data breaches posing a real risk of significant harm, request data breach records of organizations, at its own discretion, and provide advice and guidance to organizations as to how to comply with their breach reporting obligations under the Act. Where appropriate, the Commissioner will investigate complaints pertaining to suspected contraventions of data breach reporting requirements, and conduct audits of organizational practices in this regard.

As part of its annual report to Parliament on PIPEDA, the OPC may provide information on the extent and nature of reported data breaches in an aggregate and anonymized manner.

Benefits and costs

Social benefits

The proposed Regulations are expected to contribute positively to the privacy and security of individuals. Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm.

The proposed Regulations are anticipated to help mitigate harm to individuals who are affected by a data breach, and to increase the protection of Canadians’ personal information in general by encouraging better data security practices.

The costs to consumers stemming from data breaches are significant and far-reaching. According to Javelin Strategy and Research, which has done comprehensive annual studies of identity theft in the United States since 2006, a significant proportion of individuals who are impacted by a data breach become victims of identity theft or fraud. Beyond financial costs, the potential for humiliation and loss of opportunity resulting from breaches of personal information also exists, and has been recognized by the courts in Canada.

Mandatory data breach notification under PIPEDA provides an increased level of protection for Canadians and other consumers in the Canadian marketplace by allowing them to take steps to protect themselves from potential harm resulting from that breach.

The proposed Regulations will enhance this protection in a number of ways. By ensuring that all breach notifications contain a core set of information and are provided in an appropriate manner, the proposed Regulations will result in more effective notifications by increasing the probability that affected individuals will receive the information and understand its significance.

A minimum standard for notification also assures Canadians that they can expect a similar approach to notification by all organizations.

Economic benefits

The proposed Regulations will serve to codify existing best practices for data breach reporting and create certainty across the marketplace about how organizations notify individuals affected by a breach. They will also harmonize Canada’s regime for data breach reporting with those of other jurisdictions, reducing the burden of reporting for organizations operating in multiple jurisdictions.

In particular, the proposed Regulations will specify the minimum content of a breach report to the Commissioner, ensuring that reports contain adequate and consistent information to enable the Commissioner’s oversight of the requirement to notify individuals. It ensures that all organizations are held to the same standard when reporting breaches and creates a level playing field for regulated organizations across Canada.

Prescribing the content of notifications to individuals and reports to the Commissioner will align the federal private sector regime for mandatory breach reporting with equivalent provincial legislation, and those of Canada’s major trading partners.

In particular, the European Union General Data Protection Regulation (GDPR), which comes into force in 2018, includes mandatory data breach reporting and requires organizations to include similar information in reports to authorities and to individuals. Also in line with the proposed Regulations, EU companies will be required to keep a record of all data breaches for the purpose of demonstrating due diligence with regard to their reporting obligations.

This alignment is important to Canada–EU trade. PIPEDA is currently deemed to provide an essentially equivalent level of privacy protection to the European Union, which allows for the free flow of personal information from the European Union to Canadian organizations.

It is also an important factor in mitigating compliance costs for organizations that operate in multiple jurisdictions. Many organizations subject to PIPEDA are also required to comply with provincial or international laws, and in the case of a data breach may be required to notify individuals in various jurisdictions. To the extent that the proposed Regulations can align data breach reporting under PIPEDA with requirements in other jurisdictions, this would reduce the burden of notification for many organizations in Canada.

Public security benefits

The proposed Regulations are expected to contribute positively to the security of individuals and the cyber security readiness of Canadian businesses. The regulatory proposal implements statutory requirements to report data breaches, which has been established as an important element of Canada’s cyber security policy.

Experts in data security believe that data breaches are on the rise because organizations are not taking appropriate measures to protect the data they hold. A 2016 report by the Internet Society on the economics of data breaches surmises that the reason for this is twofold: (1) organizations do not bear all the costs of data breach (much is borne by affected individuals), and (2) there is not enough benefit to them in better protecting their users’ data. (see footnote 3) Mandatory breach reporting and record-keeping provide a much needed incentive for organizations to adopt better security practices.

A requirement to maintain records of all breaches for a two-year period will incentivize organizations to track and analyze the impact of all data security incidents. Although many data breaches appear to bear no harm, there may be data security implications. The EY 2016 Global Information Security Survey found that the majority of organizations currently do not increase their cyber security spending after experiencing a breach that does not appear to do any harm. The authors of the report indicate that this is concerning given that cyber criminals often make “test attacks,” lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to. (see footnote 4)

The proposed Regulations will also ensure that breach reports to the Commissioner are provided in such a way that incidents can be compared and aggregated to provide a much needed repository of information on data security incidents in Canada; something that experts say will lead to a better shared understanding of cyber security threats. According to the Internet Society report, sharing this information responsibly has a number of benefits: it helps organizations globally improve their data security, helps policy-makers improve policies, helps regulators pursue attackers, and helps the data security industry produce better solutions. (see footnote 5) The report recommends that in order to reduce incidents of data breaches we must increase transparency of the issues through data breach notifications and disclosure.

Consistency in reporting will also allow for metrics to be developed for evidence-based policy-making. Currently there is little data available about the extent and nature of data breaches across the Canadian marketplace, outside of Alberta and the health sector in certain provinces.

Costs

The costs to business directly resulting from the proposed Regulations are expected to be nominal, given that the bulk of the compliance and administrative burden arises from the statutory obligations imposed by the Digital Privacy Act.

Further, the proposed Regulations reflect in large part existing best practices that have been established under the voluntary reporting initiative of the OPC, and under equivalent legislation in certain provinces. Given that these practices have been in place for several years, it is expected that many regulated organizations will have already incorporated them to some degree into their own policies and procedures.

It is anticipated that the flexible approach taken in the proposed Regulations will serve to mitigate the costs of complying with the statutory requirements for notifying individuals. The proposed Regulations allow for organizations to notify individuals indirectly where directly contacting each affected individual may prove unreasonably costly. In these cases, the proposed Regulations allow notification to take place via communication channels that are much more cost effective and efficient, greatly reducing the burden of notification. This may be particularly important for small to medium-sized organizations that may experience a data breach involving a very large number of customers.

The proposed Regulations also allow for organizations to craft notifications in a way that is appropriate for the circumstances and the audience. Though a core set of information is required to be included in notifications to individuals, the proposed Regulations are silent on their format and design.

Consultation

During Parliament’s review of the Digital Privacy Act, many stakeholders representing businesses, consumers and the legal community presented their views on the proposed regime for data breach reporting. The majority were generally supportive of the Bill’s approach, which proposed the use of regulations to provide details on statutory requirements.

Subsequent to the royal assent of the Digital Privacy Act, stakeholders were specifically consulted on the proposed use of regulations. Innovation, Science and Economic Development Canada (ISED) published a comprehensive discussion paper that posed a series of specific questions and invited stakeholders to provide their views on how the Government should exercise its regulatory authority. The discussion paper was posted on the Government’s consultation portal (www.consultingcanadians.gc.ca) and was distributed directly to specific stakeholder groups. ISED also held bilateral and multilateral meetings and teleconferences with interested stakeholders to allow them to express their views on the proposed Regulations.

The majority of stakeholders expressed support for the use of regulations to provide more certainty around how certain statutory provisions should be interpreted. A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances. The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.

Another theme was the desire for harmonization with established best practices for breach reporting: in particular, existing guidance by the OPC for voluntary breach reporting and mandatory reporting requirements in Alberta and the European Union were cited.

Generally, there was some consensus on the need for regulations to clarify content and format of reports to the Commissioner and notifications to affected individuals. Likewise, there was a general desire to see further direction in regulations on record-keeping requirements. However, the majority of stakeholders indicated that guidelines may be more appropriate than regulations to provide further direction in certain areas, including the use of additional factors to be considered when conducting an assessment of risk and determining which third-party organizations should be informed of a breach.

The OPC concurred that guidance material would be appropriate in these areas to assist regulated organizations and indicated that it would take steps to provide the necessary material.

Several stakeholders called for regulations to speak to the role of encryption in a data breach: specifically, whether a data breach involving encrypted information could be presumed to carry a low risk of harm, effectively providing a “safe harbour” against mandatory notification. The OPC held an opposing view in its response, stating that there are other factors that influence the effectiveness of encryption, including the level of encryption employed and whether or not the encryption key has been compromised. As a result, despite the use of encryption there remains a possibility that personal information could be decrypted, potentially posing a real risk of significant harm to the individual involved.

Some stakeholders, including the OPC, called for data breach reports to include an assessment of the type of harm(s) that may result from the breach, in line with the approach in Alberta. However, the proposed Regulations do not prescribe this as mandatory content in order to address concerns that this type of information is speculative and hypothetical. Stakeholders also argued that it would be difficult for many small and medium-sized organizations to make such an assessment given that they may not have the expertise or resources to do so.

Some organizations proposed that the Regulations should specify which organization is required to undertake notification to individuals in situations where a breach occurs at a service provider or supplier organization. However, the majority held the view that determining which organization is responsible for conducting the notification should be in accordance with the existing Accountability Principle in Schedule 1 of PIPEDA, such that overall responsibility for ensuring compliance rests with the organization having control of the personal information in question. In some cases the term “control” does not necessarily equate to “custody,” but instead refers to overall responsibility for the personal information.

During consultations, many organizations called for a transition period between the publication of the final Regulations and the date of coming into force. They argued this would provide adequate time for organizations to implement required changes to information management systems and to train employees accordingly. Proposed transition periods ranged from 6 to 18 months.

Many organizations also raised concerns about the confidentiality of information contained in breach reports and breach records and the potential for inadvertent public disclosure of sensitive data security details or other proprietary information. It should be noted that the Digital Privacy Act amended the Access to Information Act (ATIA) to create a statutory exemption to the disclosure of any data breach record or data breach report in response to an access to information request. This amendment to the ATIA will come into force with PIPEDA’s other data breach notification and reporting provisions found in Division 1.1 of PIPEDA.

Finally, some organizations called for the Regulations to reduce the scope of the statutory requirement for data breach record-keeping, such that organizations would only be required to keep records of “material” or significant breaches. However, the Government has clearly indicated that the purpose of the record-keeping provisions is to provide the Commissioner with an ability to determine whether or not organizations are tracking all breaches and complying with the requirements to report significant breaches and notify affected individuals.

“One-for-One” Rule

This regulatory proposal is not expected to directly increase the administrative burden on business and is therefore exempt from the “One-for-One” Rule.

Costs to regulated organizations resulting from this regulatory proposal are considered to be nominal, given that the administrative burden arises from the statutory obligations for reporting breaches to the Commissioner, notifying affected individuals, and for record-keeping imposed by the Digital Privacy Act. The proposed Regulations simply provide further specification on those obligations.

Small business lens

The small business lens does not apply because the estimated nationwide cost impact of this regulatory proposal is less than $1 million per year.

Implementation, enforcement and service standards

The proposed Regulations would come into effect at the same time as the statutory requirements pertaining to data breach reporting under Division 1.1 of PIPEDA. The coming into force of the statutory requirements will be established through a subsequent Order in Council once the Regulations are final.

The proposed Regulations will allow for a delayed coming into force after the publication of the Regulations. This will give regulated organizations time to adjust their policies and procedures accordingly and to ensure that systems are in place to track and record all breaches of security safeguards that they experience.

In the meantime, ISED will work with the OPC to identify areas where guidance material is required to assist organizations in interpreting and complying with their new obligations. Particular consideration will be given to providing guidance on conducting a risk assessment.

Enforcement of the proposed Regulations would reflect the existing compliance regime under PIPEDA, whereby the Commissioner is responsible for providing oversight and investigating complaints. Record-keeping plays a key role in the oversight regime — the Commissioner can conduct an audit or launch an investigation based on a record or group of data breach records. The OPC will also use data breach information to increase awareness and understanding of the extent and nature of data breaches in Canada.

New provisions for offences and fines for willful and deliberate contravention of these new requirements were imposed by the Digital Privacy Act. As per other contraventions and offences under PIPEDA, courts are authorized to impose fines pertaining to a contravention of the data breach reporting provisions and to order non-compliant organizations to change practices.

ISED will evaluate the need for amendments to the Regulations on an ongoing basis based on results of data breach reporting that are provided by the OPC, and on informal stakeholder feedback from regulated organizations.

Contact

Charles Taillefer

Director

Privacy and Data Protection Directorate

Marketplace Framework Policy Branch

Strategy and Innovation Policy Sector

Innovation, Science and Economic Development Canada

Telephone: 343-291-1774

Email: charles.taillefer@canada.ca

Wednesday, July 26, 2017

British Columbia Commissioner finds that "Creep Catchers" violated province's privacy law

The Information and Privacy Commissioner of British Columbia has just released a very interesting decision and order against the "Surrey Creep Catchers". The Creep Catchers are a loosely affiliated group of people whose stated purpose is to expose online predators, particularly those who will then arrange to meet with children for nefarious purposes. Their modus operandi is to engage with people online, on dating sites and other sites, suggest they are underage and arrange a meeting. They then post video, chat logs, etc. to "expose" or shame the individuals.

In this case, two individuals who were targeted complained to the Information and Privacy Commissioner, who has found that the Creep Catchers violated the Personal Information Protection Act of BC. Most interestingly, the decision found (a) they are an "organization" for the purposes of the Act, (b) they are not engaged in journalism, so that exclusion doesn't help them, and (c) they cannot take advantage of the consent exceptions that apply for legitimate investigations.

A bit troubling is the uncritical following of the definition of journalism used in the Globe24h.com decision of the Federal Court. One will hopefully recall that case was uncontested and the Court simply adopted the restrictive definition put forward by the Office of the Privacy Commissioner of Canada:

[18] In order for s. 3(2)(b) to apply, the Organization must be collecting, using, or disclosing personal information for a journalistic purpose. In A.T. v. Globe24h.com, the Federal Court of Canada considered what constitutes journalism for the purposes of the analogous section of the Personal Information Protection and Electronic Documents Act (PIPEDA).
The “journalistic” purpose exception is not defined in PIPEDA and it has not received substantive treatment in the jurisprudence. The OPCC submits that the Canadian Association of Journalists has suggested that an activity should qualify as journalism only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation”. Those criteria appear to be a reasonable framework for defining the exception. None of them would
apply to what the respondent has done.

[19] I use the above three criteria to determine whether an organization is carrying out its activities for a journalistic purpose under s. 3(2)(b) of PIPA.


I have cautioned before that one should be cautious in applying Globe24h because the entire court case was unopposed and the Court appears to have simply adopted the OPC's argument without too much critical discussion.

It should also be noted that the BC statute applies to a broader range of "organizations" than PIPEDA, for example. If this case were to arise under the federal statute, I'm not sure the OPC would be able to find jurisdiction.

Here is the summary of the decision prepared by the OIPC:

Two individuals complained that an organization improperly collected, used and disclosed their personal information. The organization had induced each individual to have online communication with a fictitious woman over the age of 18, subsequently conveyed that this decoy was under the age of 16, and arranged a meeting to confront each man for attempting to lure a minor. The organization video-recorded the encounter and disseminated the video on social media. The Acting Commissioner found that the organization collected, used and disclosed the complainants’ personal information contrary to the Personal Information Protection Act because it had not obtained their consent and had no other authority to collect, use or disclose their personal information. He ordered the organization to stop collecting, using and disclosing the complainants’ personal information, to destroy all of their personal information in its custody or under its control, and to ask others who disseminated the information to remove and destroy it as well.​

Wednesday, June 07, 2017

Canadian government pulls the plug on the Canadian Anti-Spam Law private right of action

It's official ... the ability to sue for damages under Canada's Anti-Spam Law (CASL) has been put on ice. An order-in-council dated June 2, 2017 repealed the provision of a previous cabinet order that set the commencement of the private right of action as July 1, 2017. Without that provision, the private right of action will not come into effect.

PC Number: 2017-0580

Date: 2017-06-02

His Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to section 91 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, chapter 23 of the Statutes of Canada, 2010, amends Order in Council P.C. 2013-1323 of December 3, 2013 by repealing paragraph (c).


The Precis sets out the rationale:

Order Amending Order in Council P.C. 2013-1323 of December 3, 2013 in order to delay the Coming into Force date of sections 47 to 51 and 55 of Canada's Anti-spam Law, which provides for a private right of action, in order to promote legal certainty for numerous stakeholders claiming to experience difficulties in interpreting several provisions of the Act while being exposed to litigation risk.


This gives Canadian business, government and consumers the chance to take a breath and figure out whether this dumpster fire of a law is the right tool for the job.

CASL's civil right of action to be delayed?

I am hearing from reliable sources that the government has agreed to postpone the civil right of action under Canada's Anti-spam Law. The provisions, that were planned to come into effect on July 1, 2017, would mean a person or corporation affected by a CASL contravention can bring a civil lawsuit against the offending person or entity – and seek remedies including monetary compensation and expenses. The maximum penalties are $200 for each commercial electronic message contravention (to a maximum of $1M/day), and $1M for each day on which a software contravention occurs (CASL’s software sections come into force on January 1, 2015).




Very few people in the legal community and in business are in favour of these provisions, and it would appear that the government has been convinced. When the order in council is published, it will appear in the Canada Gazette.

Wednesday, May 10, 2017

Alberta law provides civil remedies for cyberbullying victims

Tort regarding non-consensual distribution of intimate images supplements recent criminal amendments

The Alberta legislature has passed a bill to provide civil remedies for victims of the non-consensual distribution of intimate images. Bill 202, Protecting Victims of Non-Consensual Distribution of Intimate Images Act, creates a new civil cause of action for what has become known “revenge porn” or non-consensual pornography. When the law comes into effect, in August 2017, it will be actionable in the province, without proof of harm, for anyone to distribute “an intimate image of another person knowing that the person depicted in the image did not consent to the distribution, or is reckless as to whether or not that person consented to the distribution”. The statute builds upon the criminal provisions for such actions added to the Criminal Code in Bill C-13 and closely follows the similar statute in Manitoba, the Intimate Image Protection Act.

An “intimate image” is defined as an image or video in which the person depicted is nude or includes the breasts, genitals or anal region, or depicts explicit activity. It is further defined with reference to the expectation of privacy that existed at the time the image was created or distributed:

(ii) which was recorded in circumstances that gave rise to a reasonable expectation of privacy in respect of that image, and

(iii) if the image has been distributed, in which the person depicted in the image retained a reasonable expectation of privacy at the time it was distributed;

Importantly, that expectation of privacy is not necessarily lost if the image was taken by another person or was given to another person where it was not to be further distributed:

Expectation of privacy
5 In an action for the distribution of an intimate image without consent, the person depicted in the image does not lose the expectation of privacy in respect of the image if that person
(a) consented to another person recording the images, or

(b) provided the image to another person,

in circumstances where that other person knew or ought reasonably to have known that the image was not distributed to any other person.

The bill also contains a public interest defence, which is similar to that found in the Criminal Code for other pornography and obscenity offences. Also of note, if the defendant in an action under the new law is a child, the statute specifically deems that the parent of the defendant will not be jointly and severally liable unless the parent “directly participated” in the distribution of the image.

Friday, March 10, 2017

Privacy and the use of census information for population health research

Professor Teresa Scassa has a very interesting comment on her blog about a recent case from the Federal Court of Canada, O’Grady v. Canada (Attorney General), 2017 FC 167. Her comment is here: Recent Federal Court Decision Examines Privacy and the Census.

The case itself is a judicial review of a decision of the Chief of Statistics to enter into an agreement with McGill University’s Faculty of Medicine to conduct a study examining perinatal outcomes in Canada. This sort of research collaboration and data matching happens all the time, but seldom is it objected-to and the discussions do not often end up in front of the courts.

The context, from the decision:

[3] In 2011, Statistics Canada and McGill entered into a Letter of Agreement to conduct a study that would assess infant mortality and newborn health by examining perinatal outcomes in Canada according to risk factors related to socioeconomic position, ethno-cultural background, and environmental exposure [Study]. In connection with the Study, record linkages were used to link information from the national birth record database and the 1996 and 2006 censuses. In order to minimize the privacy intrusion, the record linkages were performed in accordance with s 6 of the Statistics Act, RSC 1985, c S-19 [Statistics Act] by Statistics Canada employees, or deemed employees, and the composite records were stripped of direct personal identifiers before they were made accessible to McGill. The composite records were also restricted to Statistics Canada’s premises. Additionally, the usage of the record linkages was publicly posted on the Statistics Canada website.

The applicant complained to the Privacy Commissioner of Canada, who concluded that the applicant's personal information had not been improperly used.

[7] The Privacy Commissioner agreed that the Applicant’s census information met the definition of personal information, as defined by s 3 of the Statistics Act. Additionally, the Privacy Commissioner found that usage of census information in the Study was beyond the scope of the purposes for which it was collected, which is prohibited under s 7 of the Statistics Act. However, there was no evidence to suggest that the Applicant’s information had actually been used in the Study as her information had been excluded. Furthermore, even if the Applicant’s information had been used, Statistics Canada had the authority to do so under the Statistics Act. Consequently, the Privacy Commissioner found that the Applicant’s complaint was not well-founded.

The Court, in reviewing the decision by the Chief of Statistics, found that it was lawful as the use of the census data in this manner is consistent with the purpose for which it was originally collected.

[68] There is no doubt that census information is personal information, so the issue in this case is whether it was used “for a use consistent” with the “purpose for which it was obtained or complied….”

[69] The Supreme Court of Canada set out the “consistent use” test in Bernard, above:

[31] A use need not be identical to the purpose for which information was obtained in order to fall under s. 8(2) (a) of the Privacy Act; it must only be consistent with that purpose. As the Federal Court of Appeal held, there need only be a sufficiently direct connection between the purpose and the proposed use, such that an employee would reasonably expect that the information could be used in the manner proposed.

(emphasis in original)


[70] It is clear that Statistics Canada could not have contemplated the Study at the time of either the 1996 census or the 2006 census. Hence, the information collected by those censuses was not obtained specifically for the Study. However, the purpose of the Study is to compile and analyse statistics related to the health and welfare of Canadians, so that it complies with the purpose of the censuses and with Statistics Canada’s mandate.


The application was dismissed, but the Court noted it was premature overall:

[86] The real problem with this application is that it is premature. The Study has not yet been released or used. The Applicant speculates that personal information will be used and disclosed, but has produced no convincing evidence to support that position. Whatever I have said in this application, which is based solely upon the record before me, should not prevent anyone whose personal information is inappropriately used or disclosed from bringing the matter before the Court in the future.

Friday, February 10, 2017

Nova Scotia Appeals Court: No privacy and defamation double-dip damages

The Nova Scotia Court of Appeal, in Marson v Nova Scotia, 2017 NSCA 17 has affirmed the decision of the NS Supreme Court, which found that you don't get to double-dip on damages if essentially the same is grounded in invasion of privacy and defamation. The unanimous Court reasoned:

[27] The trial judge was alive to the potential to award damages for “Breach of Privacy/Intrusion upon seclusion”. She discussed the issue of whether there was any need to rely upon an Ontario case, Jones v. Tsige, 2012 ONCA 32 (CanLII), which recognized the tort of intrusion upon seclusion. In Jones the Court made an award based on the tort of invasion of privacy, or intrusion upon seclusion. That case referenced the fact that one who intentionally intrudes upon the seclusion of another in his private affairs is subject to liability for invasion of privacy if the invasion would be highly offensive to a reasonable person. A reasonable person, in the context of that tort, would find it highly offensive to have records such as health records, or in the context of the present case, confidential policing/corrections information disseminated.

[28] The Jones case made it clear that the damages for such a tort were in the category of “symbolic” or “moral” damages where a plaintiff suffered no provable pecuniary loss. Here, the trial judge correctly pointed out that while in Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245 (CanLII) it was made clear that the court could award damages for a tort of intrusion upon seclusion, it was not necessary in the present case. She said:

175 … I do not need to undertake that analysis. The actions complained of under this heading are, essentially, the same actions underpinning the defamation claim, for which I have already awarded complete damages. The factors noted in par. 87 of Jones have already been considered in that award. It would be inappropriate to make further awards. …

[29] I agree with the trial judge’s approach on this issue. The approach argued by the appellant would have resulted in double recovery for the same delict. The trial judge’s comments make it clear that the intrusion of seclusion was subsumed within the other heads of damages.

A claim can be both rooted in privacy and defamation, but your compensation is for the harm itself and not multiplied by the different torts you can claim.

Tuesday, February 07, 2017

Did the Canadian Federal Court take the first step to a "right to be forgotten" with a global take-down order?

This past week, the Federal Court of Canada released a very interesting decision in A.T. v. Globe24h.com, 2017 FC 114, which seems to be the first step towards a Canadian "right to be forgotten". (You may recall that I generally don't think such a right exists in Canada (You'd better forget the right to be forgotten in Canada). The decision includes an order that purports to tell a non-Canadian what information can be published on the internet globally.

The decision is generally unsatisfying in a number of ways. But first here's the background: The Applicant, identified only as A.T., registered a complaint with the Privacy Commissioner of Canada that a Romanian website was hosting and making available an Alberta Labour Board decision that he did not want to be associated with. An internet search of his name would turn up this decision, hosted by Globe24h. He wanted it taken down. The Office of the Privacy Commissioner of Canada (OPC) had previously investigated a number of complaints against the outfit and issued a finding. Essentially, the OPC had found that the site scraped decisions from Canadian legal, courts and tribunal websites and made them searchable on the internet. Most of these tribunals and courts made these records available online, but restricted them from being indexed and fully searchable. The business model of the site seems to be that they will promptly take down decisions -- presumably those not favourable to individuals -- if the individual paid a processing fee. The OPC had found this was a violation of Canada's Personal Information Protection and Electronic Documents Act.

In the case before the Federal Court, only the complainant and the OPC appeared. As a result, the record is one-sided and there was not a complete, adversarial analysis of all the issues to be considered. Our legal system is premised upon having opposing sides present their best arguments and best evidence before a Court. This decision only includes one side and no interveners who may have helped the court get a more balanced view. It does appear that the Court generally accepted the arguments put forward by the OPC, including hearsay related to the dialogue that OPC had with Globe24h (but which it declined to have with the Court).

The Court relied on, among other authorities, the Equustek v. Google decision from the British Columbia Court of Appeal, which was appealed to the Supreme Court of Canada and for which a decision is pending, to support its ability to issue a mandatory order against an entity with no presence in Canada. This decision may be reversed.

Secondly, because there was nobody to present the other side, there was no discussion about the impact of freedom of expression or the right to information on the case. The Court concluded that because the original case was available online, but not indexed, removing it from Globe24h would not have any real impact. And because the site's purpose was concluded to be mostly mercenary, it could not take advantage of the exclusion given to exclusively journalistic reports. In fact, the Court determined that the website's approach was not "appropriate" for the purposes of s. 5(3) of PIPEDA, which reads:

Appropriate purposes

(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.


Here's the judge's reasoning on that point:

[75] I agree with the OPCC that a reasonable person would not consider the respondent to have a bona fide business interest. In making this argument, the Commissioner relies on the Canadian Judicial Council’s (CJC) Model Policy for Access to Court Records in Canada (Model Policy) and the OPCC’s own guidance document to federal administrative tribunals. The CJC Model Policy discourages decisions that are published online to be indexed by search engines as this would prevent information from being available when the purpose of the search is not to find court records. The policy recognizes that a balance must be struck between the open courts principle and increasing online access to court records where the privacy and security of participants in judicial proceedings will be at issue.

[76] The CJC has struck a balance by advising courts to prevent judgments from being discovered unintentionally through search engines. To this end, the CJC has recommended that judgments published online should not be indexed by search engines. The OPCC notes that CanLII and other court and tribunal websites generally follow the CJC’s Model Policy and prevent their decisions from being indexed by search engines through web robot exclusion protocols and other means. Indeed, the Federal Court has taken such measures to prevent our decisions from being indexed. That does not bar anyone from visiting the Federal Court website and conducting a name search. But it does prevent the cases from being listed in a casual web search. The respondent’s actions result in needless exposure of sensitive personal information of participants in the justice system via search engines.


The Court agreed with the OPC's submissions that the "journalism" exception doesn't apply in the case either. In doing so, the Court followed the reasoning of the Alberta Court of Appeal in United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130, which was affirmed on other grounds by the Supreme Court of Canada in 2013 SCC 62.

[67] The respondent has claimed in communications with the OPCC that his purposes in operating Globe24h.com should be considered exclusively journalistic. Should the Court accept that claim, Part 1 of PIPEDA does not apply to his activities because the personal information collected, used or disclosed falls under the exception provided by paragraph 4(2)(c) of PIPEDA.

[68] The “journalistic” purpose exception is not defined in PIPEDA and it has not received substantive treatment in the jurisprudence. The OPCC submits that the Canadian Association of Journalists has suggested that an activity should qualify as journalism only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation ”. Those criteria appear to be a reasonable framework for defining the exception. None of them would apply to what the respondent has done.

[69] The Alberta Court of Appeal interpreted similar statutory language in Alberta’s Personal Information Protection Act, SA 2003, c P-6.5: United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130 (CanLII), [2012] AJ No 427, aff’d 2013 SCC 62 (CanLII), [2013] 3 SCR 733 [United Food]. Specifically, in considering the adjective “journalistic”, the Court of Appeal noted that “it is unreasonable to think that the Legislature intended it to be so wide as to encompass everything within the phrase “freedom of opinion and expression””: United Food, above, at para 56. Further, the Court noted that “[n]ot every piece of information posted on the Internet qualifies [as journalism]”: United Food, above, at para 59.

[70] In my view, the respondent’s claimed purpose “to make law accessible for free on the Internet” on Globe24h.com cannot be considered “journalistic”. In this instance, there is no need to republish the decisions to make them accessible as they are already available on Canadian websites for free. The respondent adds no value to the publication by way of commentary, additional information or analysis. He exploits the content by demanding payment for its removal.

[71] The evidence indicates that the respondent’s primary purpose is to incentivize individuals to pay to have their personal information removed from the website. A secondary purpose, until very recently, was to generate advertising revenue by driving traffic to his website through the increased exposure of personal information in search engines. There is no evidence that the respondent’s intention is to inform the public on matters of public interest.

[72] Even if the respondent’s activities could be considered journalistic in part, the exemption under paragraph 4(2)(c) only applies where the information is collected, used or disclosed exclusively for journalistic purposes. It is clear from the record that Globe24h.com’s purposes extend beyond journalism.


While this case is very interesting and the first in Canada to approach a "right to be forgotten", I would caution against assuming that it is a strong precedent for Canadian law. Unfortunately, it appears all the argument and evidence was one-sided. The case raises some very interesting, very important and nuanced issues. We really would have benefited from a full presentation of all arguable positions, particularly those related to freedom of expression and the appropriateness of global takedown orders.

Here's the final order from the Court:

THIS COURT’S JUDGMENT is that:

1. It is declared that the Respondent, Sebastian Radulescu, contravened the Personal Information Protection and Electronics Documents Act, SC 2000, c 5 by collecting, using and disclosing on his website, www.Globe24h.com (“Globe24h.com”), personal information contained in Canadian court and tribunal decisions for inappropriate purposes and without the consent of the individuals concerned;

2. The Respondent, Sebastian Radulescu, shall remove all Canadian court and tribunal decisions containing personal information from Globe24h.com and take the necessary steps to remove these decisions from search engines caches;

3. The Respondent, Sebastian Radulescu, shall refrain from further copying and republishing Canadian court and tribunal decisions containing personal information in a manner that contravenes the Personal Information and Electronic Documents Act, SC 2000, c 5;

a) The Respondent, Sebastian Radulescu, shall pay the Applicant damages in the amount of $5000;

b) The Applicant is awarded costs in the amount of $300; and

c) The style of cause is amended to substitute the initials “A.T.” for the name of the applicant.