Yesterday, the Office of the Privacy Commissioner of Canada posted a new finding based on two separate complaints related to a law firm conducting credit checks without consent (Commissioner's Findings - PIPEDA Case Summary #340: Law firms collected credit reports without consent (May 2, 2006)).
The Assistant Commissioner concluded that the complaints were well-founded.
This represents a very important finding, not so much on the question of the appropriateness of the credit checks but on important questions of jurisdiction raised. The credit checks were apparently contrary to the agreement between the firms and the credit bureaus in question. However, in my humble opinion and with the greatest respect to the Assistant Commissioner, Complaint A was incorrectly decided.
Complaint A
An individual complained that a law firm collected his personal information, by conducting a credit bureau inquiry, without his knowledge and consent.
Summary of Investigation
The law firm confirmed that it did conduct the credit inquiry. It argued, however, that the OPC did not have jurisdiction in this matter, as the information was collected for personal purposes of a client in relation to possible litigation, and it would therefore not provide the Office with access to its records.
The Office asserted its jurisdiction with respect to the complaint on the basis that the collection occurred during the course of the law firm’s commercial activities.
The complainant had also filed a complaint with the credit bureau regarding the collection of his credit information. The credit bureau requires its member companies, such as the law firm in this case, to obtain express consent for the collection of credit information. Since the law firm failed to provide adequate information or cooperate fully with the credit bureau’s inquiries, the credit bureau concluded that the law firm did not have the complainant’s consent to the collection. As a result, the law firm’s membership privileges were suspended.
Findings
Issued May 2, 2006
Application: Paragraph 4(1)(a) establishes that Part I of the Act applies to every organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The Assistant Commissioner was satisfied that the collection occurred in the course of the firm’s commercial activities, and noted that as there was no general exclusion for the activities of law firms undertaken on behalf of their clients. The Office therefore found that it had jurisdiction in the matter, pursuant to paragraph 4(1)(a).
As for the collection, the law firm admitted that it had collected the complainant’s personal information, by way of credit inquiry. The complainant had alleged that this was done without his consent, and the law firm did not provide any evidence to the contrary.
The Assistant Commissioner therefore concluded that the information was collected without the complainant’s knowledge or consent, in contravention of Principle 4.3. She recommended that the law firm implement a policy that prohibits conducting credit checks without the individual’s consent, unless one of the exceptions to the requirement for consent, as set out in the Act, is applicable. The law firm responded by continuing to challenge this Office’s jurisdiction, maintaining that the issue did not involve any commercial activity. It stated that it continues to comply with the Act, as it has since the Act came into force. It also maintained that it does not collect the personal information of anyone without their consent. The Assistant Commissioner was not satisfied with this response, noting that the Act requires organizations to be open about their privacy policies and practices. The response from the law firm did not address the specific recommendation of the Office to implement a policy for obtaining consent to conduct credit checks. Nor did the response provide any further evidence that the Act was not contravened in this instance.
Accordingly, she concluded that the complaint was well-founded.
In my humble opinion, and based solely on this little snapshot of the facts provided above, the Assistant Commissioner was without jurisdiction to consider this particular complaint. The basis for the Commissioner's jurisdiction is in s. 4(1)(a) of PIPEDA, which states that Part I of the Act applies with respect to the collection, use and disclosure of personal information in the course of “commercial activities”. Commercial activities is further defined to mean an act or transaction or course of conduct that is of a “commercial character”. It is said that the law firm was acting for a client and that the client was engaged in litigation against the complainant. That the law firm is engaged in its own commercial activities should be irrelevant. It is merely the agent for its client.
This position is supported by the decision of Justice Dawson of the Ontario Superior Court of Justice in Ferenczy v. MCI Medical Clinic, [2004] O.J. No. 1775. Justice Dawson concluded that video surveillance of a medical malpractice plaintiff is not “commercial activity” for the purposes of PIPEDA:
25 The plaintiff submits that the private investigator (an organization) retained by the CMPA (an organization) was collecting and making a record (videotape) of the plaintiff's personal information (images) during the course of commercial activity (while being paid), and that as the plaintiff did not consent to the collection and release of the information, the investigator and the CMPA are in contravention of the Act.
26 For a number of reasons I disagree. I will deal with some specific reasons momentarily, but first I will make a few general comments.
27 The legislation in question is complex and so broadly worded that a reasonable argument could be made to extend its reach so far as to transform both civil and criminal litigation into something very different than it is today. The arguments advanced on behalf of the plaintiff here prove that point. On the basis of the plaintiff's argument, Dr. Weinstein might be permitted to take his own video camera and record surveillance evidence in his own defence, but a licenced private investigator could not do so on his behalf if he was being paid to do so.
28 This argument would extend to an accused in a criminal case. While there are exceptions in the Act that allow law enforcement agencies to investigate and collect information about a suspect or an accused, an accused would arguably be prevented from utilizing a private investigator, or other paid agent, to collect information or conduct surveillance that could be vital to his or her defence. …
30 One way to avoid this result, and I conclude it is the correct interpretation of the Act, is to apply the principles of agency. On this analysis it is the defendant in the civil case who is the person collecting the information for his personal use to defend against the allegations brought by the plaintiff. Those whom he employs, or who are employed on his behalf, are merely his agents. On this analysis s. 4(2)(b) of the Act governs. That section reads as follows:
>4(2) This part does not apply to
...
(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose;
The defendant through his representatives was employing and paying an investigator, to collect information for him. It is the defendant's purpose and intended use of the information that one should have regard to in determining the applicability of the Act. On the basis of this analysis I conclude that the defendant is not collecting or recording personal information in the course of commercial activity. He, through his agents, was collecting information to defend himself against the lawsuit brought by the plaintiff. This is a personal purpose in the context of the civil action brought against him by the plaintiff. In my view, this conclusion is consistent with the overall purpose of the Act which is aimed primarily at information collected as a part of commerce. [emphasis added]
The collection, use and disclosure of personal information in connection with private litigation is a private matter and not "commercial activity". Simply put, a claim for damages under the common law or litigation related to such a claim cannot be reasonably said to be a “commercial activity”. The fact that the relationship between the defendant, on one hand, and the law firm, on the other hand, is commercial is not relevant: As PIPEDA requires a “commercial activity” nexus to be applicable, the fact that the law firm is being paid is immaterial, no such nexus would exist and PIPEDA should not apply.
Parliament limited PIPEDA’s application to “commercial activities” (and federal works, undertakings and businesses) because federal jurisdiction is limited by the Constitution Act, 1867. In passing PIPEDA, Parliament relied upon its jurisdiction over the “Regulation of Trade and Commerce” contained in s. 91(2). A private lawsuit between two individual litigants (and all matters ancillary thereto), are a matter of “Property and Civil Rights in a Province”, which is an area of jurisdiction specifically reserved to the Provinces in s. 92 of the Constitution Act, 1867. Simply put, an attempt to enforce PIPEDA between two private individuals, acting in their private capacities (even if one is acting through a paid agent) would be an unconstitutional application of PIPEDA.
If Section 4(1)(a) is going to be read in such an expansive way, virtually all activities fall within "commercial activities". A public hospital will be engaged in commercial activities because it gets paid by medicare and because most attending physicians are actually incorporated contractors. (Even worse: some hospitals charge for casts and splints and private rooms!) All universities are engaged in commercial activity since they collect tuition and charge room and board. All public schools are engaged in commercial activities because students have to pay for field trips. All provincial government departments are engaged in commercial activity because you have to pay to register your car.
At the end of the finding, the following is noted:
For both complaints the Assistant Commissioner also indicated that she would
pursue the matter in accordance with the Act and referred the cases to her
litigation counsel. Shortly after being contacted by the Commissioner’s
counsel, both law firms agreed to implement the recommendations thus avoiding
the need to follow through with an Application in the Federal Court.
I can understand why the firms would not want to be drawn into an expensive proceeding in the courts, but it is regrettable that this finding will remain unchallenged.