Saturday, December 08, 2018

Presentation: Obtaining digital evidence

This week, I was pleased to be asked to be on a panel with Daniela Bassan on digital evidence for the Canadian Bar Association - Nova Scotia Annual Conference. I spoke about the mechanics of trying to gather and preserve digital (mainly online) information, and Daniela spoke about the process of getting court orders to preserve and access information from third parties.

In case it's of interest, here's my presentation:

Wednesday, December 05, 2018

Canadian Privacy Commissioner calls for a new privacy law

Canadian Privacy Commissioner, Daniel Therrien, has today released a letter written to Navdeep Singh Bains, the Minister of Innovation, Science and Economic Development, calling for a new Canadian privacy law. Such a new law must, he said, include the following aspects:

  • Continue to be technology neutral and principles-based, because these features enable the law to endure over time and create a level playing field, but it should mostly be drafted as a rights based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.
  • Maintain an important place for meaningful consent but it should also consider other ways to protect privacy where consent may not work, for instance in certain circumstances involving the development of artificial intelligence. The concept of ‘legitimate interest’ in the GDPR may provide one such alternate approach.
  • Empower a public authority to issue binding guidance or rules that would clarify how general principles and broadly framed rights are to apply in practice. A principles based legislation has important virtues, but it does not bring an adequate level of certainty to individuals and organizations. Binding guidance or rules would ensure a more practical understanding of what the law requires. They could also be amended more easily than legislation as technology evolves.
  • Confer to the OPC stronger enforcement powers, including the power to make orders and impose fines for non-compliance with the law. These powers should include the right to independently verify compliance, without grounds, to ensure organizations are truly accountable to Canadians for the protection of their personal information.
  • Give the OPC the ability to choose which complaints to investigate, in order to focus limited resources on issues that pose the highest risk or may have greatest impact for Canadians. At the same time, to ensure no one is left without a remedy, give individuals a private right of action for PIPEDA violations.
  • Allow different regulators to share information. Meaningful protection of consumers and citizens in the fast-paced digital and data-driven economy understandably must involve several regulators, and they must be able to better coordinate their work.
  • Finally, it is absolutely imperative for privacy laws to be applied to Canadian political parties.

The letter is here, along with a news release.

I agree wholeheartedly with the last bullet point, but I think we should hold off before revamping our privacy law. In my view, it works and it works well. The only impetus for change would be the adequacy determination from Europe, which is not scheduled until 2020. At that point, we'll have an understanding of what's necessary to maintain this important status. In the meantime, the OPC hasn't made a strong case for order making powers. We would have two choices: either create a Privacy Tribunal like the Canadian Human Rights Tribunal (which is often pointed to as a poster-child of inefficiency) or turn the Office of the Privacy Commissioner into something like the CRTC's CASL enforcement group (which has problems of overreach and a clear propensity towards zealous punishment of companies that are making a good faith effort to comply with the law).

At this stage, I haven't seen the Privacy Commissioner fully use all the tools in his toolbox. He has the ability to take a company to the Federal Court. In most of the cases he has done so (that I'm aware of), they've settled. Obviously the Commissioner would not settle a case if it was not to his satisfaction.

Friday, September 28, 2018

Presentation: Privacy 101 for Psychologists

I was invited to present at an professional development event by the Association of Psychologists of Nova Scotia, on the topic of Privacy 101. In case it's of use to others, here's my slide deck:

Saturday, September 22, 2018

The value of legal privilege: Your diligent privacy consultant may become your worst enemy

A diligent privacy consultant will do a thorough privacy impact assessment, a threat risk assessment or a gap analysis. They'll take a thorough look at your current practices and benchmark them against not just your competitors but against best practices. Most companies will fall short in one way or another, and many will decide to only address 70% of the risks identified. But what about the other 30%? If you're later sued, your consultant's report will suggest to a judge or a jury that you decided not to get your house in order. What might have been negligence can quickly become recklessness.

The reality is that nothing that a consulant produces for you -- unless they are properly teamed with legal counsel -- will be privileged. I've seen loads of consultants who mark their reports as privileged, but a legend on a document will never stand up in court.

I'm involved with a class action lawsuit where the defendant had, on multiple occasions, brought in a privacy consultant to advise on a range of matters. As a diligent consultant should, they identified a number of problems with processes, practices and policies. They almost called the situation a dumpster fire. The organization sought to address most of these, but they didn't focus on all of them. When a huge breach happened and a huge class action lawsuit followed, the breach could be easily attributed to one of the areas where insufficient remediation took place. They went from being careless to being reckless. And the consultant's report will be Exhibit A in the lawsuit.

Even the most diligent organization, when it takes a microscope to its practices, will discover problems. Unless you're going to address every single shortcoming, you need to be aware of what you might discover. And what you discover may be handed on a silver platter to the plaintiffs.

In the case I'm referring to, if this report had been prepared by legal counsel--focusing on advising the organization about its actual legal risk rather than benchmarking against nebulous best practices--it never would become Exhibit A in the class action.

In this age of breach notification, when class actions will inevitably follow notifications, you need to make sure that you know your risks so you can address the most serious of them. And you need to make sure that these reports are truly seeking legal advice and will never see the light of day.

With many of my clients, we've been harnessing the capabilities of privacy consultants while structuring the engagement to make sure that all the findings are shielded from litigation discovery.

If you hire consultants, think about what might happen after a breach and you have to hand them over to plaintiffs' counsel. That can be addressed right now and you should think about it.

Thursday, April 26, 2018

AtlSecCon Presentation: Canada's new data breach notification regime

I had the pleasure of giving a presentation to the Atlantic Security Conference this afternoon on Canada's new data breach notification regime, which is coming into effect on November 1, 2018. It's posted below in case it's of interest to a wider audience.

Friday, March 16, 2018

Presentation: Privacy and privilege at the Canadian border

The Canadian Bar Association's British Columbia Privacy and Access Law Section and the Immigration Section kindly invited me to Vancouver this past week to give a presentation on the topic of privacy and privilege at the border. Much of this was based on my advocacy work with the CBA in presenting on the topic to the Parliamentary Standing Committee on Privacy, Access to Information and Ethics and pro bono work for the Canadian Civil Liberties Association as an amicus.

In case it's of interest, here's my presentation:



One thing that I did emphasise, which I'll do again here, is that the Canada Border Services Agency takes the view what they can search all digital information that crosses the border. I am of the view that this is legally incorrect, so asserting your rights will likely result in being charged for obstruction of a CBSA officer.

Friday, January 26, 2018

Privacy Commissioner thinks there's a right to be forgotten in Canada

The Office of the Privacy Commissioner of Canada just released a news release, another notice of consultation and a draft position paper on "online reputation".

Online reputation is the nice way of saying "right to be forgotten" or "right to erasure". And the OPC's draft position is that such a right exists under PIPEDA and involves manadatory "de-indexing of search results".

I'm just digesting it all, but my preliminary view is that it is incorrect and constitutionally untenable. You can see my submission on the earlier consultation here: You'd better forget the right to be forgotten in Canada.

Here's the OPC's press release on this latest development:

Improvements needed to protect online reputation, Privacy Commissioner says

New report sets out recourses such as the right to ask search engines to de-index web pages and takedown of online information; emphasizes the need for education

GATINEAU, QC, January 26, 2018 – Canadians need better tools to help them to protect their online reputation, says a new report by the Office of the Privacy Commissioner of Canada.

The report highlights measures such as the right to ask search engines to de-index web pages that contain inaccurate, incomplete or outdated information; removal or amendment of information at the source; and education to help develop responsible, informed online citizens.

“There is little more precious than our reputation. But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes. Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove,” says Privacy Commissioner Daniel Therrien.

“Canadians have told us they are concerned about these growing risks to their reputation. We want to provide people with greater control to protect themselves from these reputational risks. Ultimately, the objective is to create an environment where people can use the Internet to explore and develop without fear their digital traces will lead to unfair treatment. ”

The Office of the Privacy Commissioner of Canada’s draft Position on Online Reputation aims to highlight existing protections in Canada’s federal private sector privacy law, identify potential legislative changes and propose other solutions for consideration.

The report follows a consultation process aimed at identifying new and innovative ways to protect reputational privacy, a key OPC priority. A discussion paper and call for essays resulted in 28 submissions from stakeholders which helped inform this report.

With respect to existing protections, the report notes that the federal private sector privacy law provides for a right to de-indexing – which removes links from search results without deleting the content itself – under certain circumstances and upon request.

Canadians should also be permitted to easily delete information they’ve posted about themselves on a commercial forum, for instance a social media site. In cases where others have posted information about an individual, they have a right to challenge and seek amendment to demonstrably illegal, inaccurate, incomplete and out of date information, the report says.

All of these considerations need to be balanced with other important values such as freedom of expression and public interest.

For their part, search engines and websites have an obligation to assess requests from individuals for information to be de-indexed or taken down and are generally equipped to do so through existing customer complaints channels. If a matter cannot be resolved, individuals have a right to complain to the Office of the Privacy Commissioner of Canada.

“While it’s important to take action on de-indexing, we are also recommending that Parliament undertake a study of this issue. Elected officials should confirm the right balance between privacy and freedom of expression in our democratic society,” says Commissioner Therrien.

There are a number of circumstances which could potentially be the subjects of de-indexing or takedown requests. For example, an adult may feel their reputation is harmed by controversial views they held as a teenager and posted online. Other examples could include defamatory content in a blog; photos of a minor that later cause reputational harm; intimate photos; or online information about someone’s religion, mental health or other highly sensitive information.

While the combination of the ability to request de-indexing and source takedown of information shares similarities with the Right to Erasure (Right to be Forgotten) in Europe, the report does not seek to import a European framework into Canada. Rather, it is an interpretation of current Canadian law, and the remedies related to online reputation that can be found within the existing law.

The report also emphasizes the importance of privacy education.

Along with its provincial and territorial counterparts, the OPC has sent a joint letter to the Canadian Council of Ministers of Education calling for privacy protection to be incorporated into curriculum for digital education across the country.

“We want young Canadians to develop into good online citizens,” Commissioner Therrien says. “Youth need the technical knowledge to protect themselves, along with a strong understanding of how to act responsibly online and why it’s important.”

The report is also calling on Parliament to establish a stronger ability for youth to request and obtain the deletion of information they themselves have posted on social media, and in appropriate cases, information posted about them online by their parents or guardians when they reach the age of majority.

Other proposed solutions focus on educating all Canadians about available mechanisms to control reputation, such as through website privacy settings, and other emerging privacy enhancing technologies. The OPC has also committed to proactively addressing systemic or sector-wide problems related to online reputation, for instance, where vulnerable groups are concerned, and to encouraging research, development and adoption of new solutions for protecting online information, in part through its Contributions Program.

After consulting with stakeholders on the proposals outlined in its draft position paper, the OPC will finalize its position and develop an action plan to put the new measures into practice.

Friday, January 12, 2018

Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company

The British Columbia Court of Appeal has whipped the door open for the greater use of production orders requiring non-Canadian companies to provide user information. Here's the summary I prepared for my firm (also available here):

The Legal Reality: Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company in British Columbia (Attorney General) v. Brecknell

January 12, 2018

By David Fraser, at McInnes Cooper

Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to produce any of its records has, to date, depended on the province in which police seek it. Some courts refuse an order where the company is wholly outside of Canada; some require an address in Canada for service to grant the order; and others grant the order, apparently unconcerned about the company’s Canadian “presence”. That could however change with the B.C. Court of Appeal’s January 9, 2018, decision in British Columbia (Attorney General) v. Brecknell. The Court’s decision that Craigslist is “present” in B.C. and can be subject to a Criminal Code production order issued from its provincial court might lead to greater national uniformity – and more exposure to foreign companies doing only virtual business in Canada:

The Legal Trend. The decision lines up with the Supreme Court of Canada’s increasing awareness of the Internet’s inherently global nature, willingness to take jurisdiction in cases that cross borders, and readiness to apply existing legal principles to online business – all as illustrated in the Court’s June 2017 decisions in Google Inc. v. Equustek Solutions Inc. and Douez v. Facebook, Inc. There’s every reason to believe this trend is here to stay – and foreign companies doing business in Canada, even if only virtually, should be prepared for the increased legal exposure it entails.

Broader Implications. The Court’s conclusion that the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference could carry implications far beyond the availability of production orders. Whether its reasoning vis-a-vis an internet-based company’s “presence” in Canada will have application to, for example, tax laws, remains to be seen.

More Production Orders & More Content. Non-Canadian companies will likely see more production orders from Canadian courts. Canadian courts will more willingly assume jurisdiction over companies where the only contacts with Canada are virtual (i.e. over the internet), and more readily available to police to obtain production orders against such companies – no matter where they are “physically” present. And this route is much preferred by police compared to proceeding under mutual legal assistance procedures. In addition to more Canadian production orders against internet companies, more of those orders will likely be for “content”, not just identifying information and metadata. And this decision will likely lead Canadian police to conclude that compliance is no longer a question of voluntariness: many internet companies “voluntarily” comply with Canadian orders for non-content data but require Mutual Legal Assistance Treaties (MLAT) processes for content such as email and other communications.

In 2016, the Royal Canadian Mounted Police (R.C.M.P.) applied to the B.C. Provincial Court for a production order requiring Craigslist to produce certain information about one of its users. In particular, R.C.M.P. sought the user’s name or physical address, its email address, the IP address assigned to the user when the post was created, the phone numbers used to verify the user account, the dates and times the post was created post and the record of the posting. The court refused on the basis Craigslist had only a “virtual presence in B.C.” The R.C.M.P. appealed and on January 9, 2018, the B.C. Court of Appeal agreed: Craigslist is “present” in the province of B.C. and police can obtain a production order naming it, even though it has no “physical” presence in Canada or an address in Canada to effect service:

Virtual Presence = Physical Presence. Under Canadian law, a Canadian court has jurisdiction where there is a “real and substantial connection” between Canada (or a Canadian province) and the activity in issue. There’s no “bright line” rule, but courts have consistently decided that actively doing business over the internet with residents of a particular Canadian province is enough to create that connection. This in turn gives the court jurisdiction over the specific subject matter and parties (a.k.a “in personam” jurisdiction), a proposition about which the Supreme Court of Canada most recently pronounced in its June 2017 decision in Google v. Equustek Solutions Inc. Here, the Court of Appeal interpreted the Criminal Code provisions as limiting courts’ ability to issue a production order “…only against a person in Canada”, making the question whether Craigslist – a U.S. company with no physical presence in Canada – is “a person in Canada” for this purpose. The Court concluded the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference (at para. 40):

“… [I]n the Internet era it is formalistic and artificial to draw a distinction between physical and virtual presence. Corporate persons … can exist in more than one place at the same time. … I do not think anything turns on whether the corporate person in the jurisdiction has a physical or only a virtual presence. To draw on and rely on such a distinction would defeat the purpose of the legislation and ignore the realities of modern day electronic commerce…”

The Test is Canadian Presence – not Canadian Possession. The Court was clear that the test for a production order is only the presence of the recipient – and not the information sought to be produced – in Canada. Once the Court of Appeal concluded Craigslist was “a person in Canada”, the test was met (at para. 39):

“In the first instance, the [Criminal Code] section, properly interpreted, stipulates only that the person subject to the order must be a person in the jurisdiction. In my view, Craigslist is such a person. Second, the person must be a person who has possession or control of a document. The section says nothing expressly about where that possession or control exists. Indeed, it may not even be sensible to pose the question in terms of the location of control. A person either does or does not have possession of a document. The question is one of control, not where the control is exercised. In this case, Craigslist has possession or control of the relevant records and the provision requires nothing further. In other words, there is nothing in the section that requires the person in the jurisdiction to be a custodian of the documents in the jurisdiction. In my view, it is sufficient that the person is present within the jurisdiction. I do not think that there is anything extraterritorial in such an interpretation. To conclude that Craigslist is a person within the jurisdiction who has possession or control of documents does not give the section an impermissibly extraterritorial interpretation.”

No Other Barriers. The Court of Appeal rejected the argument that a production order against a foreign company effectively intrudes into another country’s sovereignty, essentially deputizing a non-Canadian company to carry out a search in a foreign country that Canadian police could never carry out themselves. The Court concluded the weight of U.S. legal authority doesn’t treat subpoenas in this manner, noting it appears instead to recognize the U.S. validity of subpoenas directed to persons in the U.S. over whom there is personal jurisdiction to disclose documents in the U.S. even where they must be obtained from outside the U.S. The Court also considered – and rejected – the arguments that enforcement difficulties or the existence of Mutual Legal Assistance Treaties (MLAT) militate against the use of production orders in cases like this.

Saturday, December 02, 2017

Federal Court of Appeal: Past privacy consent does not prevent new means of handling and distributing personal information

The Federal Court of Appeal released its long-awaited decision in Toronto Real Estate Board v Commissioner of Competition on Friday, December 1, 2017. The decision is a statutory appeal and is the latest chapter in a very long saga in which the Competition Bureau has accused Canada's largest real estate board of acting in an anti-competitive manner to prevent new forms of competition in the real estate market.

The Canada Real Estate Board (CREA), and its members such as the Toronto Real Estate Board (TREB) own and operate the Canadian Multiple Listing Service (which is the backbone of realtor.ca). A lot of information about current properties on the market is available on the site and realtors have access to a much wider range of information, including historical sales and listing information that is essential to carrying out market analyses for buyers and sellers.

The main issue is that TREB has not permitted innovative forms of real estate sales, such as online, using this much richer information. And privacy was one of the reasons TREB pointed to in order to justify its practices:

[2] TREB maintains a database of information on current and previously available property listings in the GTA. TREB makes some of this information available to its members via an electronic data feed, which its members can then use to populate their websites. However, some data available in the database is not distributed via the data feed, and can only be viewed and distributed through more traditional channels. The Commissioner of Competition says this disadvantages innovative brokers who would prefer to establish virtual offices, resulting in a substantial prevention or lessening of competition in violation of subsection 79(1) of the Competition Act, R.S.C. 1985, c. C-34 (Competition Act). TREB says that the restrictions do not have the effect of substantially preventing or lessening competition. Furthermore, TREB claims the restrictions are due to privacy concerns and that its brokers’ clients have not consented to such disclosure of their information. TREB also claims a copyright interest in the database it has compiled, and that under subsection 79(5) of the Competition Act, the assertion of an intellectual property right cannot be an anti-competitive act.

Focusing on the privacy argument, TREB essentially argued that people who consented to having their information made available when they hired a realtor, really only consented to having it made available through traditional channels and not published online. The Tribunal below was of the view that TREB's privacy arguments were pretty flimsy and one gets the sense that it was really a pretext to justify their way of doing things.

[131] In considering privacy as a business justification under paragraph 79(1)(b), the Tribunal found that the “principal motivation in implementing the VOW Restrictions was to insulate its members from the disruptive competition that [motivated] Internet-based brokerages”. It concluded that there was little evidentiary support for the contention that the restrictions were motivated by privacy concerns of TREB’s clients. The Tribunal also found scant evidence that, in the development of the VOW Policy, the VOW committee had considered, been motivated by, or acted upon privacy considerations (TR at para. 321). The privacy concerns were “an afterthought and continue to be a pretext for TREB’s adoption and maintenance of the VOW Restrictions” (TR at para. 390).

TREB argued that nobody consented to having this information disseminated via the internet or "virtual office websites" (VOWs), so new consent would be required to do so. Absent new consent, this information cannot be disseminated online:

[160] While the Listing Agreement used by TREB provides consent to some uses of personal information, TREB asserts that had the Tribunal examined it more closely, it would have found that the Listing Agreement did not provide sufficiently specific wording to permit disclosure of personal information in the VOW data feed. Specifically, TREB contends that the consents do not permit the distribution of the data over the internet, and that is qualitatively different from the distribution of the same information by person, fax, or email.

The Commissioner argued that consent for PIPEDA purposes is to the "purposes" proposed for the collection, use and disclosure of personal information, and not the means by which it would be disseminated. The Court of Appeal agreed:

[164] The wording in the Listing Agreements from 2003 onwards is substantially similar to that quoted above. However, the phrase “during the term of the listing and thereafter” (underlined above), first appears in 2012. The Use and Distribution of Information clause in the Listing Agreement is broad and unrestricted. Sellers are informed that their data could be used for several purposes: for distribution in the database to market their house; to compile, retain, and publish statistics; for use as part of comparative market analysis; and any other use in connection with the listing, marketing, and selling of real estate. Nothing in the text implies the data would only be used during the time the listing is active. Indeed, the use of data for historical statistics of selling prices necessitates that the data will be kept. The Tribunal noted that TREB’s policies 102 and 103 add that, apart from inaccurate data, “[n]o other changes will be made in the historical data” (TR at para. 401). We note as well that clause 11 of the Listing Agreement allows for the property to be marketed “using any medium, including the internet”.

[165] PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet in the manner targeted by the VOW Policy−does not accord with the unequivocal language of the consent.

Why is this important? Because it is clear that though technology may shift and putting services online may change the extent of the distribution of information and the possible uses of the information by someone who accesses it, the key to obtaining consent is to clearly articulate the purposes of the collection. The stated purposes are what dictate how the information can be used, but do not dictate the means of dissemination.

Wednesday, November 15, 2017

Ontario Court of Appeal confirms online harassment conviction where threatening website was “about” the complainant but not a threat directed "to" the complainant

At a time when the courts and the rest of the justice system are grappling with how traditional Criminal Code offences and online misconduct intersect, the Ontario Court of Appeal has issued an important decision in R v. Sim on how criminal harassment can take place online. Often, police and others are stuck in an analog paradigm of traditional stalking and menacing.

In this case, the accused created an incredibly offensive website that was not directed at the complainant but was about her, and directed to a select audience that appears to have been intended to exclude her.

The accused used to work in the same building as the complainant lived. They became friends and when the accused showed a romantic interest in the complainant, the complainant made it clear that the feelings were not reciprocated. They went their separate ways, each married other people and started families. They communicated by email from time to time, apparently just to catch up on what the other was doing.

In the meantime, the accused created a Yahoo! Groups website that, according to a statement on the homepage, was dedicated to “the degradation and online spreading” of the complainant. He recruited at least 150 others to join the site. According to the Court:

[9] Sim posted extensive biographical details and photos of the complainant on the website. He authored false, degrading, vile, and grotesque sexualized commentary about her on the website’s messaging forum. He encouraged group members to post their own vile comments about the complainant, to author and share crude sexual fantasies involving her, and to alter photographs of her in a sexually degrading way and share those as well. …

The complainant became aware of the site in 2013 and, with the help of a friend, she created a username and password to get full access to the site.

The accused was charged with criminal harassment and publishing a defamatory libel. He was convicted of harassment and acquitted of defamatory libel. The accused appealed his conviction to the Ontario Court of Appeal, arguing that the necessary actus rea of harassment had been made out.

The accused had been convicted under paragraph 2(d) of section 264 of the Criminal Code:

(1) Criminal harassment – No person shall, without lawful authority and knowing that another person is harassed or recklessly as to whether the other person is harassed, engage in conduct referred to in subsection (2) that causes that other person reasonably, in all the circumstances, to fear for their safety or the safety of anyone known to them.

(2) Prohibited conduct – The conduct mentioned in subsection (1) consists of …

(d) engaging in threatening conduct directed at the other person or any member of their family.

The trial judge acknowledged that if “threatening conduct” required a subjective intention to threaten the complainant, the accused should be acquitted for lack of evidence. But the judge decided that there was no such requirement; rather the question is whether the conduct is objectively threatening.

In 2008, the Ontario Court of Appeal in R. v. Burns determined that an objective standard was required for the actus rea of criminal harassment under paragraph 2(d):

To establish harassment under s. 264(2)(d) of the Criminal Code, the Crown had to establish that the appellant engaged in “threatening conduct”. We accept the definition of threatening conduct given in R. v. George at para. 39 that, in order to meet the objectives of s. 264, the threatening conduct must amount to a “tool of intimidation which is designed to instill a sense of fear in the recipient”. The impugned conduct is to be viewed objectively, with due consideration for the circumstances in which they took place, and with regards to the effects those acts had on the recipient. [Citation omitted.]

With regard to the accused’s specific arguments, Laskin JA, on behalf of a unanimous Court, wrote:

[18] First, Sim’s submission is inconsistent with s. 264(1) of the Code and thus is contrary to Parliament’s express intent. Subsection 264(1) specifies that the mens rea component of criminal harassment can be met by an accused’s knowledge or recklessness. To suggest that the actus reus of threatening conduct requires a specific intent to instil fear is contrary to the plain language of s. 264(1).

[19] Second, as this court said in Burns, under s. 264(2)(d) the conduct in question must be viewed objectively. In other words, would the accused’s threatening conduct cause a reasonable person in the complainant’s situation to fear for her safety? The word “designed” does not require the Crown to prove the accused’s subjective intention. And, in assessing whether an accused’s conduct is threatening under s. 264(2)(d), a judge is not required to get into the accused’s mind.

[20] Instead, the word “designed” is meant to focus on the effect of the accused’s conduct on a reasonable person in the shoes of the target of the conduct. In Burns, this court clarified that the objective assessment must consider the circumstances in which the conduct took place, and the effects that the conduct actually had on the complainant. Although an accused's threatening conduct may not affect every target of that conduct, in every conceivable situation, it could well instill fear in a reasonable person in the complainant’s specific situation, particularly when the actual effects of the conduct on the complaint are considered. That is the case here. The trial judge did not err in finding that the Crown had established the actus reus of the offence.

While the site at issue was clearly about the complainant, there was no evidence that it was directed at the complainant in order to threaten her. This decision will hopefully reinforce the notion that the criminal harassment offence may be made out in cases where the accused creates “threatening” content about the victim, rather than directed to the victim.

[An earlier version of this case summary was written for the Canadian Technology Law Association’s newsletter.]