Monday, April 01, 2019

Ontario court refuses to order accused to unlock his smartphone

Not sure how I missed this one when it came out in January ...

The Ontario Court of Justice has refused to order an accused to unlock his smartphone or to provide the crown with the password for the device. In R v Shergill, 2019 ONCJ 54, the Crown made an application for a search warrant for a phone seized from the accused. The interesting part is that the Crown also sought an assistance order under s. 487.02 of the Criminal Code. Notably, the application was not made ex parte so the accused was able to make submissions.

The Crown argued that the accused's Charter rights were not engaged.

[3] The Crown says that basic principles of statutory interpretation allow for an accused to be the subject of an assistance order in relation to his or her own investigation. The Crown further submits that this request for an assistance order does not raise Charter concerns, but is instead a matter of mere practicality. The Crown’s factum focusses entirely on the principle against self-incrimination, submitting that the proposed assistance order does not engage that principle because it only compels Mr. Shergill to provide access to, and not create, material the police are judicially authorized to examine, and because any self-incrimination concerns are met by the grant of use immunity over Mr. Shergill’s knowledge of the password.

The Court decided in favour of the accused, finding that this order would engage the accused's right to silence and the protection against self-incrimination. The Court wrote:

(e) The Right to Silence

[21] In my view, the more significant principle of fundamental justice at stake is the right to silence. This right emerged as a component of the protection against self-incrimination in R. v. Hebert in which McLachlin J. (as she then was), held:

If the Charter guarantees against self-incrimination at trial are to be given their full effect, an effective right of choice as to whether to make a statement must exist at the pre-trial stage… the right to silence of a detained person under s. 7 of the Charter must be broad enough to accord to the detained person a free choice on the matter of whether to speak to the authorities or to remain silent.

McLachlin J. also reaffirmed the Court’s prior holding that the right to silence was “a well-settled principle that has for generations been part of the basic tenets of our law.”

[22] The “common theme” underlying the right to silence is “the idea that a person in the power of the state in the course of the criminal process has the right to choose whether to speak to the police or remain silent.” In tracing the history of the right, McLachlin J. referred to an “array of distinguished Canadian jurists who recognized the importance of the suspect’s freedom to choose whether to give a statement to the police or not” and described the essence of the right to silence as the “notion that the person whose freedom is placed in question by the judicial process must be given the choice of whether to speak to the authorities or not.”[21] Finally, Hebert held that s. 7 provides “a positive right to make a free choice as to whether to remain silent or speak to the authorities.”

[23] The pre-trial right to silence is a concept which, as Iacobucci held in R.J.S., has been “elevated to the status of a constitutional right.”[footnotes omitted]

The Court then discussed some of the challenges that law enforcement are facing in light of new technology and encryption in particular. Though there is always a compelling public interest in the investigation and prosecution of crimes, the final balancing came down on the side of the accused's liberty interests under s. 7 of the Charter.

[51] I accept that the current digital landscape as it relates to effective law enforcement and the protection of privacy presents many challenges. It may be that a different approach to this issue is warranted, whether through legislative initiatives or modifications to what I see as jurisprudence which is binding on me. But on my best application of controlling authority, I am simply not persuaded that the order sought can issue without fundamentally breaching Mr. Shergill’s s. 7 liberty interests, a breach which would not be in accordance with the principle of fundamental justice which says that he has the right to remain silent in the investigative context.

The search warrant was issued, but the assistance order was denied.

Tuesday, February 19, 2019

Privacy for start-ups and growing businesses

I was invited with my colleague Sarah Anderson Dykema to present on privacy by design for start-ups at Volta Labs. Volta is Eastern Canada's innovation hub, incubating and accelerating start-ups.

The turnout was great and the presentation was well received. I promised to publish it on my blog for the attendees, and for anyone else who may find it of interest.


Thursday, February 14, 2019

Supreme Court of Canada lays down a very nuanced, contextual understanding of "expectation of privacy"

Today the Supreme Court of Canada issued a very important privacy decision in R v Jarvis. I say it’s important for a number of reasons. First, it’s an important decision that strongly defines expectation of privacy for the Canadian Criminal Code offence of voyeurism. Second, I expect it will have serious knock-on effects on considering privacy in the regulatory and common-law contexts. Finally, it will inform other instances in our Criminal Code where an expectation of privacy is relevant. The decision has a very highly nuanced and contextual test for determining where there is a reasonable expectation of privacy.

The case is largely about a teacher in a high school who used a covert, miniature camera to take videos of young women’s cleavage over more than a year. It was discovered and he was charged under the relatively new voyeurism offence in the Code. Two essential elements of the offence are that there have to be circumstances that give rise to a reasonable expectation of privacy and the recording has to be done for a sexual purpose.* In R v Jarvis, the recording took place in otherwise “public areas” of the school, so not in washrooms or changing rooms. It also has to be "surreptitious", but the observation itself was not surreptitious. What was being recorded was largely observed in real-time by the teacher. The recording was surreptitious.

The trial judge found that there was a reasonable expectation of privacy but the crown had not proven the sexual purpose beyond a reasonable doubt. It’s hard to get one’s head around that, as the teacher had many, many recordings spanning more than a year of students’ cleavage and chest areas. I’m not sure what other purpose he could have had.

The crown appealed to the Ontario Court of Appeal, which had little difficulty concluding that there was a sexual purpose but split on the reasonable expectation of privacy in a "public place" where the young women could generally be observed by teachers and other students.

On appeal to the Supreme Court of Canada, the Court found the accused to be guilty of the offence and provided a very nuanced and contextual framework for determining where and when there is a reasonable expectation of privacy. What is particularly notable for technology lawyers is the role that the covert recording device plays in this analysis. It is not simply a matter that what was recorded could have been observed with one’s bare eyes. The tech plays a role in a couple of ways. Recording is more intrusive than mere observation and awareness of (or the lack of awareness) the observation also plays an important role.

The Court provided a non-exhaustive list of nine factors that courts should consider in deciding the question:

[29] The following non-exhaustive list of considerations may assist a court in determining whether a person who was observed or recorded was in circumstances that give rise to a reasonable expectation of privacy:

(1) The location the person was in when she was observed or recorded. The fact that the location was one from which the person had sought to exclude all others, in which she felt confident that she was not being observed, or in which she expected to be observed only by a select group of people may inform whether there was a reasonable expectation of privacy in a particular case.

(2) The nature of the impugned conduct, that is, whether it consisted of observation or recording. Given that recording is more intrusive on privacy than mere observation, a person’s expectation regarding whether she will be observed may reasonably be different than her expectation regarding whether she will be recorded in any particular situation. The heightened impact of recording on privacy has been recognized by this Court in other contexts, as will be discussed further at para. 62 of these reasons.

(3) Awareness of or consent to potential observation or recording. I will discuss further how awareness of observation or recording may inform the reasonable expectation of privacy inquiry at para. 33 of these reasons.

(4) The manner in which the observation or recording was done. Relevant considerations may include whether the observation or recording was fleeting or sustained, whether it was aided or enhanced by technology and, if so, what type of technology was used. The potential impact of evolving technologies on privacy has been recognized by the courts, as I will discuss further at para. 63 of these reasons.

(5) The subject matter or content of the observation or recording. Relevant considerations may include whether the observation or recording targeted a specific person or persons, what activity the person who was observed or recorded was engaged in at the relevant time, and whether the focus of the observation or recording was on intimate parts of a person’s body. This Court has recognized, in other contexts, that the nature and quality of the information at issue are relevant to assessing reasonable expectations of privacy in that information. As I will discuss further at paras. 65-67 of these reasons, this principle is relevant in the present context as well.

(6) Any rules, regulations or policies that governed the observation or recording in question. However, formal rules, regulations or policies will not necessarily be determinative, and the weight they are to be accorded will vary with the context.

(7) The relationship between the person who was observed or recorded and the person who did the observing or recording. Relevant considerations may include whether the relationship was one of trust or authority and whether the observation or recording constituted a breach or abuse of the trust or authority that characterized the relationship. This circumstance is relevant because it would be reasonable for a person to expect that another person who is in a position of trust or authority toward her will not abuse this position by engaging in unconsented, unauthorized, unwanted or otherwise inappropriate observation or recording.

(8) The purpose for which the observation or recording was done. I will explain why this may be a relevant consideration at paras. 31-32 of these reasons.

(9) The personal attributes of the person who was observed or recorded. Considerations such as whether the person was a child or a young person may be relevant in some contexts.

[30] I emphasize that the list of considerations that can reasonably inform the inquiry into whether a person who was observed or recorded had a reasonable expectation of privacy is not exhaustive. Nor will every consideration listed above be relevant in every case. For example, recordings made using a camera hidden inside a washroom will breach reasonable expectations of privacy regardless of the purpose for which they are made, the age of the person recorded, or the relationship between the person recorded and the person who did the recording. In another context, however, these latter considerations may play a more significant role. The inquiry is a contextual one, and the question in each case is whether there was a reasonable expectation of privacy in the totality of the circumstances.

While anyone could have observed these young women in a relatively public place, what made it particularly problematic was the person who did the observing, in their position of power as a teacher, the victim of the offence, what was focused on and the manner of the observing. Not all of the factors weigh strongly in favour of a finding reasonable expectation of privacy in this case, but the vast majority of them do.

So what does this mean? I expect that we'll be able to see more charges and convictions for similar practices, including "upskirting". We'll also have to see a more nuanced discussion about what is an expectation of privacy in generally public places and I'm confident this will inform judicial decision-making in the context of the privacy torts, which largely hinge on reasonable expectations of privacy, and what it unreasonable. We'll also have to think hard about what role technology plays in privacy, particularly where CCTV cameras are said to be largely equivalent to real-time supervision by managers.

One aspect that I haven't really turned my mind to at this point is the impact of this analysis on expectations of privacy vis-a-vis the state, where section 8 of the Charter is concerned.

* There are other permutations that can give rise to the offence, which do require an expectation of privacy and are largely place-based:


162 (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if

(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;

(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or

(c) the observation or recording is done for a sexual purpose.

At least in a school, subsections (a) and (b) would generally be found in washrooms and change rooms.

Saturday, December 08, 2018

Presentation: Obtaining digital evidence

This week, I was pleased to be asked to be on a panel with Daniela Bassan on digital evidence for the Canadian Bar Association - Nova Scotia Annual Conference. I spoke about the mechanics of trying to gather and preserve digital (mainly online) information, and Daniela spoke about the process of getting court orders to preserve and access information from third parties.

In case it's of interest, here's my presentation:

Wednesday, December 05, 2018

Canadian Privacy Commissioner calls for a new privacy law

Canadian Privacy Commissioner, Daniel Therrien, has today released a letter written to Navdeep Singh Bains, the Minister of Innovation, Science and Economic Development, calling for a new Canadian privacy law. Such a new law must, he said, include the following aspects:

  • Continue to be technology neutral and principles-based, because these features enable the law to endure over time and create a level playing field, but it should mostly be drafted as a rights based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.
  • Maintain an important place for meaningful consent but it should also consider other ways to protect privacy where consent may not work, for instance in certain circumstances involving the development of artificial intelligence. The concept of ‘legitimate interest’ in the GDPR may provide one such alternate approach.
  • Empower a public authority to issue binding guidance or rules that would clarify how general principles and broadly framed rights are to apply in practice. A principles based legislation has important virtues, but it does not bring an adequate level of certainty to individuals and organizations. Binding guidance or rules would ensure a more practical understanding of what the law requires. They could also be amended more easily than legislation as technology evolves.
  • Confer to the OPC stronger enforcement powers, including the power to make orders and impose fines for non-compliance with the law. These powers should include the right to independently verify compliance, without grounds, to ensure organizations are truly accountable to Canadians for the protection of their personal information.
  • Give the OPC the ability to choose which complaints to investigate, in order to focus limited resources on issues that pose the highest risk or may have greatest impact for Canadians. At the same time, to ensure no one is left without a remedy, give individuals a private right of action for PIPEDA violations.
  • Allow different regulators to share information. Meaningful protection of consumers and citizens in the fast-paced digital and data-driven economy understandably must involve several regulators, and they must be able to better coordinate their work.
  • Finally, it is absolutely imperative for privacy laws to be applied to Canadian political parties.

The letter is here, along with a news release.

I agree wholeheartedly with the last bullet point, but I think we should hold off before revamping our privacy law. In my view, it works and it works well. The only impetus for change would be the adequacy determination from Europe, which is not scheduled until 2020. At that point, we'll have an understanding of what's necessary to maintain this important status. In the meantime, the OPC hasn't made a strong case for order making powers. We would have two choices: either create a Privacy Tribunal like the Canadian Human Rights Tribunal (which is often pointed to as a poster-child of inefficiency) or turn the Office of the Privacy Commissioner into something like the CRTC's CASL enforcement group (which has problems of overreach and a clear propensity towards zealous punishment of companies that are making a good faith effort to comply with the law).

At this stage, I haven't seen the Privacy Commissioner fully use all the tools in his toolbox. He has the ability to take a company to the Federal Court. In most of the cases he has done so (that I'm aware of), they've settled. Obviously the Commissioner would not settle a case if it was not to his satisfaction.

Friday, September 28, 2018

Presentation: Privacy 101 for Psychologists

I was invited to present at an professional development event by the Association of Psychologists of Nova Scotia, on the topic of Privacy 101. In case it's of use to others, here's my slide deck:

Saturday, September 22, 2018

The value of legal privilege: Your diligent privacy consultant may become your worst enemy

A diligent privacy consultant will do a thorough privacy impact assessment, a threat risk assessment or a gap analysis. They'll take a thorough look at your current practices and benchmark them against not just your competitors but against best practices. Most companies will fall short in one way or another, and many will decide to only address 70% of the risks identified. But what about the other 30%? If you're later sued, your consultant's report will suggest to a judge or a jury that you decided not to get your house in order. What might have been negligence can quickly become recklessness.

The reality is that nothing that a consulant produces for you -- unless they are properly teamed with legal counsel -- will be privileged. I've seen loads of consultants who mark their reports as privileged, but a legend on a document will never stand up in court.

I'm involved with a class action lawsuit where the defendant had, on multiple occasions, brought in a privacy consultant to advise on a range of matters. As a diligent consultant should, they identified a number of problems with processes, practices and policies. They almost called the situation a dumpster fire. The organization sought to address most of these, but they didn't focus on all of them. When a huge breach happened and a huge class action lawsuit followed, the breach could be easily attributed to one of the areas where insufficient remediation took place. They went from being careless to being reckless. And the consultant's report will be Exhibit A in the lawsuit.

Even the most diligent organization, when it takes a microscope to its practices, will discover problems. Unless you're going to address every single shortcoming, you need to be aware of what you might discover. And what you discover may be handed on a silver platter to the plaintiffs.

In the case I'm referring to, if this report had been prepared by legal counsel--focusing on advising the organization about its actual legal risk rather than benchmarking against nebulous best practices--it never would become Exhibit A in the class action.

In this age of breach notification, when class actions will inevitably follow notifications, you need to make sure that you know your risks so you can address the most serious of them. And you need to make sure that these reports are truly seeking legal advice and will never see the light of day.

With many of my clients, we've been harnessing the capabilities of privacy consultants while structuring the engagement to make sure that all the findings are shielded from litigation discovery.

If you hire consultants, think about what might happen after a breach and you have to hand them over to plaintiffs' counsel. That can be addressed right now and you should think about it.

Thursday, April 26, 2018

AtlSecCon Presentation: Canada's new data breach notification regime

I had the pleasure of giving a presentation to the Atlantic Security Conference this afternoon on Canada's new data breach notification regime, which is coming into effect on November 1, 2018. It's posted below in case it's of interest to a wider audience.

Friday, March 16, 2018

Presentation: Privacy and privilege at the Canadian border

The Canadian Bar Association's British Columbia Privacy and Access Law Section and the Immigration Section kindly invited me to Vancouver this past week to give a presentation on the topic of privacy and privilege at the border. Much of this was based on my advocacy work with the CBA in presenting on the topic to the Parliamentary Standing Committee on Privacy, Access to Information and Ethics and pro bono work for the Canadian Civil Liberties Association as an amicus.

In case it's of interest, here's my presentation:

One thing that I did emphasise, which I'll do again here, is that the Canada Border Services Agency takes the view what they can search all digital information that crosses the border. I am of the view that this is legally incorrect, so asserting your rights will likely result in being charged for obstruction of a CBSA officer.

Friday, January 26, 2018

Privacy Commissioner thinks there's a right to be forgotten in Canada

The Office of the Privacy Commissioner of Canada just released a news release, another notice of consultation and a draft position paper on "online reputation".

Online reputation is the nice way of saying "right to be forgotten" or "right to erasure". And the OPC's draft position is that such a right exists under PIPEDA and involves manadatory "de-indexing of search results".

I'm just digesting it all, but my preliminary view is that it is incorrect and constitutionally untenable. You can see my submission on the earlier consultation here: You'd better forget the right to be forgotten in Canada.

Here's the OPC's press release on this latest development:

Improvements needed to protect online reputation, Privacy Commissioner says

New report sets out recourses such as the right to ask search engines to de-index web pages and takedown of online information; emphasizes the need for education

GATINEAU, QC, January 26, 2018 – Canadians need better tools to help them to protect their online reputation, says a new report by the Office of the Privacy Commissioner of Canada.

The report highlights measures such as the right to ask search engines to de-index web pages that contain inaccurate, incomplete or outdated information; removal or amendment of information at the source; and education to help develop responsible, informed online citizens.

“There is little more precious than our reputation. But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes. Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove,” says Privacy Commissioner Daniel Therrien.

“Canadians have told us they are concerned about these growing risks to their reputation. We want to provide people with greater control to protect themselves from these reputational risks. Ultimately, the objective is to create an environment where people can use the Internet to explore and develop without fear their digital traces will lead to unfair treatment. ”

The Office of the Privacy Commissioner of Canada’s draft Position on Online Reputation aims to highlight existing protections in Canada’s federal private sector privacy law, identify potential legislative changes and propose other solutions for consideration.

The report follows a consultation process aimed at identifying new and innovative ways to protect reputational privacy, a key OPC priority. A discussion paper and call for essays resulted in 28 submissions from stakeholders which helped inform this report.

With respect to existing protections, the report notes that the federal private sector privacy law provides for a right to de-indexing – which removes links from search results without deleting the content itself – under certain circumstances and upon request.

Canadians should also be permitted to easily delete information they’ve posted about themselves on a commercial forum, for instance a social media site. In cases where others have posted information about an individual, they have a right to challenge and seek amendment to demonstrably illegal, inaccurate, incomplete and out of date information, the report says.

All of these considerations need to be balanced with other important values such as freedom of expression and public interest.

For their part, search engines and websites have an obligation to assess requests from individuals for information to be de-indexed or taken down and are generally equipped to do so through existing customer complaints channels. If a matter cannot be resolved, individuals have a right to complain to the Office of the Privacy Commissioner of Canada.

“While it’s important to take action on de-indexing, we are also recommending that Parliament undertake a study of this issue. Elected officials should confirm the right balance between privacy and freedom of expression in our democratic society,” says Commissioner Therrien.

There are a number of circumstances which could potentially be the subjects of de-indexing or takedown requests. For example, an adult may feel their reputation is harmed by controversial views they held as a teenager and posted online. Other examples could include defamatory content in a blog; photos of a minor that later cause reputational harm; intimate photos; or online information about someone’s religion, mental health or other highly sensitive information.

While the combination of the ability to request de-indexing and source takedown of information shares similarities with the Right to Erasure (Right to be Forgotten) in Europe, the report does not seek to import a European framework into Canada. Rather, it is an interpretation of current Canadian law, and the remedies related to online reputation that can be found within the existing law.

The report also emphasizes the importance of privacy education.

Along with its provincial and territorial counterparts, the OPC has sent a joint letter to the Canadian Council of Ministers of Education calling for privacy protection to be incorporated into curriculum for digital education across the country.

“We want young Canadians to develop into good online citizens,” Commissioner Therrien says. “Youth need the technical knowledge to protect themselves, along with a strong understanding of how to act responsibly online and why it’s important.”

The report is also calling on Parliament to establish a stronger ability for youth to request and obtain the deletion of information they themselves have posted on social media, and in appropriate cases, information posted about them online by their parents or guardians when they reach the age of majority.

Other proposed solutions focus on educating all Canadians about available mechanisms to control reputation, such as through website privacy settings, and other emerging privacy enhancing technologies. The OPC has also committed to proactively addressing systemic or sector-wide problems related to online reputation, for instance, where vulnerable groups are concerned, and to encouraging research, development and adoption of new solutions for protecting online information, in part through its Contributions Program.

After consulting with stakeholders on the proposals outlined in its draft position paper, the OPC will finalize its position and develop an action plan to put the new measures into practice.