Thursday, December 17, 2015

Nova Scotia's cyberbullying law declared to be unconstitutional and a "colossal failure"

Full disclosure: I was counsel to the applicant respondent in this case. (The party seeking to have the order set aside and to have the statute found to be unconstitutional.)

The Nova Scotia Supreme Court has just released its decision in Crouch v Snell, 2015 NSCC 340 (PDF).

In the decision, the Supreme Court of Nova Scotia has declared the province’s cyberbullying law to be unconstitutional, from start to finish. The law has been found to violate the Canadian Charter of Rights and Freedoms' guarantees of freedom of expression and “life, liberty and security of the person” rights, in a manner that cannot be upheld as a reasonable limit on those rights that can be justified in a free and democratic society. In short, the law is a dramatic failure.

The case related to two adults, former business partners, who had a falling out. Mr. Crouch sought and obtained an ex parte cybersafety protection order before a justice of the peace in December 2014. The respondent (I was his counsel) challenged the order and the legislation.

I have not been known as a fan of the Cyber-safety Act. I've blogged about it, written Op-Eds about it and I've called it a dumpster fire. It was passed unanimously by the Nova Scotia legislature in the immediate aftermath of the tragic death of Rehtaeh Parsons. In my view, it was created in haste in the immediate, emotional aftermath of the tragic death of a young woman who had been sexually assaulted and had photos of the assault circulated around the community. The government of the day -- which was heading for an election -- was not willing to throw the police and the prosecution service under the bus for no charges being laid, so instead created the appearance of doing something by creating and passing a very poorly executed law. In the process, they trampled on the Charter rights of all Nova Scotians and created a distraction from the important discussion about sexual assault and consent.

Among other things, the Act allows an alleged victim of cyberbullying to appear before a justice of the peace to obtain a cybersafety protection order. These orders can go so far as to result in the confiscation of electronic devices and being barred from using the internet. An alleged cyberbully never has any notice of this hearing and has no right to give his side before the order is made. In this case, the order of the justice of the peace even ordered the respondent to delete all of his social media postings that didn’t refer to anyone in particular, as they may have referred to the complainant.

The case mainly focused on two aspects: the definition of "cyberbullying" at the heart of the Act and the scheme that permits applications and orders without notice to the other side. The Court found the Act violates freedom of expression rights and cannot be saved. The definition is overbroad and encompasses a range of expression that is constitutionally protected:

[115] The Act restricts "any electronic communication through the use of technology ... that is intended or ought reasonably be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person's health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way". It is not difficult to come up with examples of expressive activity that falls within this definition, and at the same time promotes one of the core freedom of expression values. Moir J. did just that in Self, supra at para. 25:
A neighbour who calls to warn that smoke is coming from your upstairs windows causes fear. A lawyer who sends a demand letter by fax or e-mail causes intimidation. I expect Bob Dylan caused humiliation to P.F. Sloan when he released "Positively 4th Street", just as a local on-line newspaper causes humiliation when it reports that someone has been charged with a vile offence. Each is a cyberbully, according to the literal meaning of the definitions, no matter the good intentions of the neighbour, the just demand of the lawyer, or the truthfulness of Mr. Dylan or the newspaper.

[116] In conclusion, I find that the Act has both the purpose and effect of controlling or restricting freedom of expression.

Once any limitation on a Charter protected right is found, it can only be justified if (i) it is prescribed by law, (ii) it relates to a pressing and substantial objective, (iii) the impugned provision must be rationally connected to the objective, (iv) it must impair the Charter right "minimally" and (v) the effects must be proportional. In this case, remarkably, the Court found that it is not even "prescribed by law" as it is not sufficient intelligible:

[137] In this regard, I find that the Act provides no intelligible standard according to which Justices of the Peace and the judiciary must do their work. It does not provide sufficiently clear standards to avoid arbitrary and discriminatory applications. The Legislature has given a plenary discretion to do whatever seems best in a wide set of circumstances. There is no "limit prescribed by law" and the impugned provisions of the Act cannot be justified under s. 1. In the event I am wrong, I will perform the balance of the Oakes analysis.

The Court also found that the ex parte procedure is not rationally connected to the mischief to be addressed:

[156] ... Section 5(1) must be read as requiring protection order applications to be made without notice to the respondent. I also agree with the Respondent's submission that even if s. 5(1) did give applicants a choice in the matter, it would be a rare case indeed where an applicant would choose to give notice.

[157] Finally, with respect to the Attorney General's reliance on the various procedural safeguards set out in the Act, the reality is that while the respondent waits for the opportunity to be heard at a de novo hearing, his or her Charter-protected rights and freedoms will continue to be infringed upon. This will be on the basis of a proceeding that most likely occurred without notice to the respondent, and without the respondent having had an opportunity to be heard.

[158] I find the process set out in s. 5(1) of the Act is not rationally connected to the legislative objectives. The process does not specifically address a targeted mischief.

On "minimal impairment", the Court called the Act a "colossal failure":

[165] I need to consider all of the types of expression that may be caught in the net of the Cyber-safety Act, and determine whether the Act unnecessarily catches
material that has little or nothing to do with the prevention of cyberbullying: R. v. Sharpe, 2001 SCC 2, [2001] S.C.J. No. 3 at para. 95. In this regard, the Cyber-safety Act, and the definition of cyberbullying in particular, is a colossal failure. The Attorney General submits that the Act does not pertain to private communication between individuals, but rather, deals with "cyber messages or public communications". With respect, I find that the Act restricts both public and private communications. Furthermore, the Act provides no defences, and proof of harm is not required. These factors all culminate in a legislative scheme that infringes on s. 2(b) of the Charter much more than is necessary to meet the legislative objectives. The procedural safeguards, such as automatic review by this Court and the respondent's right to request a hearing, do nothing to address the fact that the definition of cyberbullying is far too broad, even if a requirement for malice was read in. Moir J.'s comments in Self supra at para. 25, are instructive:
The next thing to note is the absence of conditions or qualifications ordinarily part of the meaning of bullying. Truth does not appear to matter. Motive does not appear to matter. Repetition or continuation might ("repeated or with continuing effect") or might not ("typically") matter.

[166] In conclusion, the Cyber-safety Act fails the "minimum impairment" branch of the Oakes test.
Emphasis added

The Court also found that the Act fails on the final proportionality test:

[174] The Attorney General submits that the Act strikes an appropriate balance because it only restricts expression that is malicious, and therefore low-value. The
Respondent says this Court must instead balance an individual's right to express any sort of speech captured in the definition of "cyberbullying" against the objectives of the Act. The Respondent says the Act prevents an individual from telling the truth if it hurts another person's feelings or harms their self-esteem, and it does not provide any defences. The Act does not accommodate expression that relates to individual self-fulfillment, truth-finding or political discourse. The Respondent submits that the Act can therefore "limit speech that cuts to the core of Charter values". The Respondent distinguishes Lucas on the basis that the libel provisions in the Criminal Code were upheld because they prohibit only falsehoods that are known by the defendant to be false.

[175] It is clear that many types of expression that go to the core of freedom of expression values might be caught in the definition of cyberbullying. These deleterious effects have not been outweighed by the presumed salutary effects.

In the end, the Court found that the Cyber-safety Act offends sections 2(b) and 7 of the Charter and cannot be justified.

Interestingly, the Attorney General asked that if the Act were declared to be unconstitutional, the Court should suspend the declaration of invalidity so that the legislature could go back to the drawing board. In court, we agreed that it could be suspended with respect to anyone but my client. The Court declared the entire Act to be unconstitutional but refused to suspend the order:

[220] Both parties confined their submissions to the definition of cyberbullying and Part I of the Act. I have identified a number of problems with both components. The remaining parts of the Act cannot survive on their own. They are inextricably connected to the offending provisions, in particular the definition of cyberbullying. Severance would not be appropriate. The Act being over-inclusive rather than underinclusive, reading in also would not be an appropriate remedy. I have already explained why reading in a requirement for malice is not, in my view, appropriate or sufficient. The Act must be struck down in its entirety. The Attorney General has not persuaded me that a temporary suspension is warranted. To temporarily suspend the declaration of validity would be to condone further infringements of Charter protected rights and freedoms. Further, the fact that the Act was enacted to fill a "gap" in the legislation does not mean that victims of cyberbullying will be completely without redress in the time it takes to enact new cyberbullying legislation. They will have the usual albeit imperfect civil and criminal avenues available to them.
Emphasis added

So far, the government of Nova Scotia has not commented on the case and it remains to be seen whether they will appeal the case or go back to the drawing board, or both.

If they do go back to the drawing board, I really hope they will do it with very careful deliberation and full consultation with experts. But if nothing else, they have a good example of how not to do it.

Thursday, December 10, 2015

Privacy Commissioner tables annual report on privacy in the federal government

The Privacy Commissioner of Canada has just tabled his Annual Report on the Privacy Act to Parliament for 2014-2015. The Privacy Act regulates how the federal government and its agencies can collect, use and disclose personal information. The full report is here: Annual Report to Parliament 2014-15 - Protecting personal information and public trust - Report on the Privacy Act.

The highlight of the Annual Report is an audit across government departments regarding the use of portable storage devices. Some might find it ironic, since the Office of the Privacy Commissioner recently lost a portable storage device containing personal information of its employees.

Here's the media release prepared by the Commissioner:

Federal government needs to do more to guard against breaches and privacy violations: Privacy Commissioner

2014-2015 Privacy Act Annual Report to Parliament highlights results of an audit of the government’s management of portable storage devices and reported data breaches

GATINEAU, QC, December 10, 2015 – The Privacy Commissioner of Canada is urging federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.

This call comes as the Commissioner’s 2014-15 Annual Report on the Privacy Act was tabled today in Parliament, highlighting a record-high number of federal government data breaches reported to his Office and the results of an audit of the government’s management of portable storage devices.

“Many institutions have made some strides to better protect personal information,” says Commissioner Daniel Therrien. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”

Federal institutions reported 256 data breaches in 2014-2015, up from 228 breaches reported the year before—which itself was double the number reported a year earlier. As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures.

Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.

“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”

The annual report includes details of a recently completed audit which found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.

The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.

Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable. But it is those attributes that also create significant privacy and security risks.

“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” says Commissioner Therrien.

The audit was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.

The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:

  • More than two-thirds (70%) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.
  • More than 90% did not track all portable storage devices throughout their lifecycle.
  • More than 85% did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.
  • One-quarter did not enforce the use of encrypted USB storage devices.
  • Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55%) had not assessed the risk to personal information resulting from the absence of such controls.

There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.

The audited institutions have accepted all recommendations made in the audit.

“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” says Commissioner Therrien. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

Thursday, November 26, 2015

Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong

The CBC and the Canadian Press are reporting on comments made by RCMP Commissioner Bob Paulson calling for warrantless access to internet service provider customer information. (Bob Paulson, RCMP boss, wants warrantless access to online subscriber info - Politics - CBC News)

Yes, this is a revival of the lawful access debates that have taken place intermittently over the past decade or so.

Lets take a close look at what he said and why he's wrong.

Police need warrantless access to Internet subscriber information to keep pace with child predators and other online criminals, says RCMP Commissioner Bob Paulson.

The top Mountie said Wednesday that a Supreme Court of Canada ruling curtailing the flow of basic data about customers — such as name and address — has "put a chill on our ability to initiate investigations."

I don't disagree with that. But having to get a warrant to search someone's house also puts a chill on investigations.

"I'm all for warrantless access to subscriber info," Paulson told a security conference in Ottawa, comparing the process to his beat-cop days of entering licence-plate data into a computer and coming up with a vehicle owner's name.

"If I had to get a judge on the phone every time I wanted to run a licence plate when I was doing my policing, there wouldn't have been much policing getting done."

Whoa! This is an absurd characterization. Commissioner Paulson is either ignorant or disingenuous. The courts have held that you don't have an expectation of privacy -- vis-a-vis the police -- in your license plate information and your car registration information that it is connected to. The Supreme Court of Canada, in R v. Spencer (the case that Paulson clearly doesn't like or agree with), said very clearly that you have an expectation of privacy in your online customer data. In fact, the Court said at paragraph 50 of that decision:
"I conclude therefore that the police request to Shaw for subscriber information corresponding to specifically observed, anonymous Internet activity engages a high level of informational privacy."

And as Paulson should know, where there is an expectation of privacy, the police must get a warrant. It's that simple.

Mounting public concern

In June last year, the Supreme Court of Canada ruled police must have a judge's authorization to obtain customer data linked to online activities.

The high court rejected the notion the federal privacy law governing companies allowed them to hand over subscriber identities voluntarily.

The Supreme Court of Canada was not at all ambiguous about it. You and I have a reasonable expectation of privacy (which includes anonymity). In the absence of a production order from the Court or exigent circumstances, they police can't have it. (For a summary of the case, you may want to read this blog post.)

The Charter is the supreme law of Canada and the Supreme Court gets to have the final word. No amount of wishful thinking by the police will change that. Since their job is to uphold and enforce Canada's laws, they should start with that.

Police say telecommunications companies and other service providers — such as banks and rental companies — now demand court approval for nearly all types of requests from authorities for basic identifying information.

The Supreme Court judgment came amid mounting public concern about authorities quietly gaining access to customer data with little oversight or independent scrutiny.

Paulson said after his speech that he advocates giving police ready access to basic subscriber information while respecting the Charter of Rights and Freedoms.

'We've been consistent'

"I think we've been consistent in recognizing that we are very respectful of the charter and people's charter rights and nobody is recommending that we go any further," he said. "But there needs to be some sort of administrative access to basic subscriber information."

No, they really haven't. Not at all. The Charter requires a warrant. Paulson wants a way around that fundamental legal fact that is rooted in the supreme law of our country.

The Canadian Association of Chiefs of Police revealed in August that government officials were mulling just such a scheme — though it's not clear exactly how it would square with the court ruling.

The chiefs said a discussion paper spearheaded by the Department of Justice was presented to the federal, provincial and territorial cybercrime working group of senior officials.

The paper outlined three legislative options for allowing access to basic subscriber information:

  • An administrative scheme that would not involve court approval.
  • A new judicial order process or a tweak to the existing regime.
  • A judicial order process for subscriber information with a greater expectation of privacy and an administrative, non-judicial one for less sensitive subscriber data.

Paulson said while the Internet is a marvellous boon to communication, education and commerce, it is also a place where a vast array of crime takes place, including rampant sexual abuse of youngsters.

Time for a public conversation

Children are "being hurt at a pace and a frequency that is alarming," the commissioner said.

"Technology is fuelling that. So now these people can encrypt their communications and they can exploit children for sexual purposes and it's a little harder to get at them from a police point of view."

Many people want the Internet to be completely free, without rules, Paulson noted. "That's fine if we don't want justice there."

The as expected "think of the children!" appeal. I'm surprised that he didn't mention the terrorists. It is worth noting that the RCMP Commissioner and the Canadian Association of Chiefs of Police advocated for Bill C-30, which would have provided for warrantless access to customer data even for a parking ticket or even no crime had been committed.

Also, nice straw man there, Paulson. Please show me the people who are contributing to the debate who call for the Internet to be "completely free, without rules." You won't find them. Your opponents in this debate do not question that police need appropriate powers to investigate online crime.

It's time for a public conversation about how best to prevent all kinds of exploitation in cyberspace, he said.

Allies in the United States, Britain, Australia and New Zealand are confronting the same issues, Paulson added.

"We're all struggling with this. It's hard to keep people safe on the internet right now.

The RCMP and the lobbying agency for Canadian police are obviously trying to revive a debate that has been definitively settled. If they want to try to make the judicial authorization process more efficient or to tweak the thresholds for getting customer information in the event of serious crime, I can help them with that. But when the police state things that are simply wrong about a subject matter they really should know very well, I'm going to call them on it.

Saturday, November 14, 2015

Presentation: Use of drones in journalism & media

I had the great pleasure of speaking at the annual conference of the Canadian Media Lawyers Association's annual meeting in Toronto on the topic of legal issues related to the use of drones by the media and in journalism in Canada.

For anyone who may be interested, here's the presentation:

Wednesday, November 04, 2015

Let's all avoid technopanic in the call for additional privacy regulation for drones

Full disclosure: I'm not a bystander to this discussion. I'm an avid drone user, having purchased a training drone and then DJI Phantom 3 Advanced in May of this year. I've been capturing, editing and proudly showing relatively unique perspectives of the beautiful province in which I live. Feel free to check my videos out:

Over the past few months, Transport Canada has been engaged in a consultation process to look at how to safely integrate unmanned aerial vehicles into Canadian airspace. This involved a call for comments regarding draft regulations or proposed regulatory approaches. Sensibly, Transport Canada was focused on their mandate under the Canadian Aviation Regulations, which is to enhance safety and competition in Canadian airspace.

The Office of the Privacy Commissioner of Canada submitted a response dated August 27, 2015. (Notably, this was posted on the OPC's website in October, well after the opportunity to respond.) There has been some reporting on this (Protect schools, homes from drones' prying eyes, privacy czar says | Toronto Star), but not much.

If you think there's some vacuum regarding privacy and the use of drones, think again. Federal agencies are subject to the Privacy Act and the Charter. Provincial agencies are subject to relevant Freedom of Information and Protection of Privacy Acts and the Charter. Private companies are regulated under the Personal Information Protection and Electronic Documents Act or the Alberta, Quebec and British Columbia equivalents. All of them -- and private citizens -- are subject to the Criminal Code for voyeurism and the torts of "invasion of privacy". There really is no gap. And in most of them, we consider whether there is a reasonable expectation of privacy in the totality of the circumstances.

With respect, I think at least part of the position articulated in their submission is wrongheaded and is an example of technopanic. The Commissioner's office calls for the creation of a completely new concept of "sensitive and protected areas". These are areas that " while perhaps public, carry with them some expectation of privacy when people use them". Here's the relevant sections of the submission:

Sensitive and protected areas

From a safety perspective, operation of UAVs in crowded areas, around aerodromes, airports and heliports has already been restricted, both in Canada and many other countries. Other jurisdictions, including many in the US, have placed outright bans on usage of UAVs in certain sensitive areas where people might congregate or other aircraft might be operating – certainly until such time as sense and avoid systems are better developed and more widely deployed.

We would encourage CARAC members to give thought to exploring a similar line of reasoning with regard to privacy concerns. Residential areas, schoolyards and shelters, hospitals and prisons, places of worship and memorial sites – all come to mind as spaces which, while perhaps public, carry with them some expectation of privacy when people use them.

As with identification methods noted above, we do not here have an exhaustive list of locations in mind, nor would we recommend an outright prohibition on usage in these areas, but would ask CARAC to consider developing a best practices approach to flag certain spaces like those mentioned as privacy sensitive (places where individuals’ sense of potential intrusion is generally heightened). Just as we would anticipate organizations concerned about their own security would be alarmed by sudden increases in the use of UAVs around their property, we would expect citizens could be similarly concerned if certain spaces were encroached upon.

For a recent specific example of regulation in this context, please see guidance issued this summer by Argentina’s Data Protection Authority, and where investigative use is contemplated, you might refer to our own Office’s Guidelines on the Use of Video surveillance by Public Authorities.

One of the great characteristics of Canadian law is that it is technologically neutral. We generally focus on the mischief, rather than the instrumentality. Fraud is fraud, regardless of whether it is done with a quill, a pen, a phone or a fax machine. While we may get excited about new technologies, we don't legislate about them specifically unless there really is a need to do so or a clear gap in the law.

With "sensitive and protected areas", we are still talking about public spaces. Is there any difference between taking a photo in a residential area with a DSLR or with a drone? I have a 300mm lens for my Nikon D90 and any law that said I couldn't use it to take photos in the park down the street would be unconstitutional. My drone has a 20mm wide angle. A military predator drone can do much better than anyone's civilian digital camera. If there is a problem with people taking photos in parks or residential areas, make a law that deals with photos in residential areas or parks. And any law would have to apply to me in the same what that it applies to a TV news crew. (And then see whether it survives a Charter challenge.) It should not matter what technology you use to do that. If the problem is the effect, focus on the effect. Not on the shiny new technology that you think may be creepy.

Everyone who uses these devices needs to follow all relevant laws, which include privacy laws. And that covers it.

If you want more about this, I just gave a presentation at the Unmanned Systems Canada 2015 conference on privacy law and drones and will be speaking at the Canadian Media Lawyers Association - Ad Idem conference on privacy and drones.

Presentation: Privacy and drones in Canada - the current state of the law

I had the pleasure of presenting at the Unmanned Systems 2015 conference this week, on the topic of privacy and drones (or unmanned aerial vehicles or unmanned aerial systems). I mostly spoke about what privacy laws apply to the different aerial activities in Canada, with a bit of discussion about what might be over the horizon.

For anyone who may be interested, here's the presentation I gave:

Thursday, October 29, 2015

Supreme Court to hear important case about legal privilege and access to information/privacy laws

This morning, the Supreme Court granted leave to appeal the Alberta Court of Appeal decision in University of Calgary v JR, 2015 ABCA 118.

In a nutshell, this will be a revisiting of Blood Tribe, but in the context of the provincial access to information laws that govern public bodies and government agencies.

Here’s the summary of the issue in appeal from the SCC website:

Information and Privacy Commissioner of Alberta v. Board of Governors of the University of Calgary

(Alberta) (Civil) (By Leave)

Keywords Privacy - Access to information.


Case summaries are prepared by the Office of the Registrar of the Supreme Court of Canada (Law Branch) for information purposes only.

Privacy — Access to information — What words must a statute employ to empower a tribunal to review records to determine whether a claim of privilege is valid?

In the course of a wrongful dismissal suit by an individual against the respondent University, the University asserted solicitor-client privilege over certain material. The individual made an access to information request under s. 7 of the Freedom of Information and Protection of Privacy Act, R.S.A. 2000, c. F-25, seeking certain records about her in the University’s possession. The University provided some disclosure, but claimed solicitor-client privilege over some of the requested material. The Commissioner’s delegate eventually directed the University to the Commissioner’s “Solicitor-Client Privilege Adjudication Protocol”. When the University did not comply, the delegate issued a “notice to produce records” under s. 56(3) of the Act. It reads, in part, “[t]he Commissioner may require any record to be produced to the Commissioner and may examine any information in a record… [d]espite any other enactment or any privilege of the law of evidence”. The delegate indicated in an accompanying letter that the purpose of the notice was to enable him to determine whether solicitor-client privilege had been properly asserted because the University had not provided sufficient evidence to allow him to make that determination. The University sought judicial review of the delegate’s decision to issue the notice to produce. The Law Society of Alberta was granted intervener status at the Court of Queen’s Bench and the Court of Appeal. The application for judicial review was dismissed, and the subsequent appeal was allowed.

In the same batch of leave applications, the Court dismissed leave to appeal from the Ontario decision of Hopkins v. Kay, 2015 ONCA 112. In that Case, the Ontario Court of Appeal declined to throw out a class action brought against a health authority which had argued that the provinces Personal Health Information Protection Act was a complete code which ousts claims for intrusion upon seclusion.

Tuesday, October 06, 2015

EU Court of Justice invalidates "Safe Harbour" framework for EU-US personal data transfers

The European Court of Justice has just declared that the European-American Safe Harbour framework to be invalid. The Safe Harbour Framework was a compromise solution to address the prohibition against transfers of European personal information to any jurisdiction without "adequate" privacy protections. The American government and the European Union arrived at a voluntary, opt-in framework by which US companies could submit to a form of regulation that would be considered adequate for European standards. Following a complaint by an Austrian Facebook user, the court essentially determined that -- in light of the Snowden revelations -- that personal data in the US is not afforded adequate protection.

The decision is here: Maximillian Schrems v Data Protection Commissioner.

Here's the Court's press release 117/15:

Court of Justice of the European Union

PRESS RELEASE No 117/15 Luxembourg, 6 October 2015

Press and Information

Judgment in Case C-362/14

Maximillian Schrems v Data Protection Commissioner

The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic
communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

NOTE: A reference for a preliminary ruling allows the courts and tribunals of the Member States, in disputes which have been brought before them, to refer questions to the Court of Justice about the interpretation of European Union law or the validity of a European Union act. The Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s decision, which is similarly binding on other national courts or tribunals before which a similar issue is raised.

Unofficial document for media use, not binding on the Court of Justice. The full text of the judgment is published on the CURIA website on the day of delivery. Press contact: Christopher Fretwell  (+352) 4303 3355 Pictures of the delivery of the judgment are available from "Europe by Satellite"  (+32) 2 2964106

Saturday, August 29, 2015

Canadian Police Chiefs looking to resurrect warrant-less access to telecom users' data

The Canadian Association of Chiefs of Police, at their annual conference, just passed a resolution looking to resurrect the lawful access debate following R. v. Spencer.

I find it puzzling. They are looking for warrantless access to customer data (which they call BSI, or basic subscriber information) where there is no expectation of privacy, while the Supreme Court of Canada said that there is a reasonable expectation of privacy in basic subscriber information. Their resolution (reproduced below), refers to recent caselaw that follows old pre-Spencer decisions that say there is no expectation of privacy in customer name and address connected to a telephone number. The resolution also refers to options being considered by a federal, provincial and territorial cybercrime working group to provide warrantless access to BSI.

Let me get this straight: they want warrantless access to BSI where there is no expectation of privacy, while the Supreme Court has said there is an expectation of privacy in BSI. So what's left of the categories of BSI where there is no expectation of privacy?

A few things are clear to me, which make this resolution and the apparent efforts to circumvent the warrant process very problematic.

  • The Supreme Court said there is a reasonable expectation of privacy in BSI, at least in the internet context;
  • The CACP and law enforcement generally have consistently said -- contrary to what the Court found in Spencer -- that there is never an expectation of privacy in BSI;
  • You can't trust law enforcement to determine whether an expectation of privacy exists.

I recognize that BSI is often critical to investigations, but it can't be a free for all where the police get access to it without an impartial judicial officer determining, on sworn evidence, that the balance between privacy and public safety is in favour of public safety. The inexorable conclusion is that the only solution to this is to make the warrant and production order process more efficient and streamlined.

Justin Ling did a great article on this for the CBA's National Magazine: National | Accessing subscriber data: Working around the Spencer ruling.

Resolution #03 - 2015


Submitted by the E-Crimes Committee

WHEREAS law enforcement requires real-time, or near real-time access to basic subscriber (customer name and address) information (BSI) as it relates to telecommunications’ customers for investigative reasons, and;

WHEREAS the Supreme Court of Canada, in their majority decision in R. v Spencer, 2014 SCC 43, did state that:

  • a reasonable expectation of privacy exists in the identity of an internet subscriber where there is an ability to link that identity to specific online activity;

  • the identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name address and telephone number found in the subscriber information;

  • absent an exigent circumstance, or authority from a reasonable law, such as authority from a judicial warrant or order, police do not have the power to conduct a search for basic subscriber information (BSI) when there exists a reasonable expectation of privacy in that information, and;

WHEREAS since the Spencer decision, the telecommunications companies refuse to provide any basic subscriber information (BSI) in the absence of an exigent circumstance, or a judicial warrant or order, even where there exists no reasonable expectation of privacy, and;

WHEREAS there exists no lawful authority designed specifically to require the provision of basic subscriber information, and the problems posed by this gap in the law are particularly acute where there exists no reasonable expectation of privacy in that information.

THEREFORE BE IT RESOLVED that the Canadian Association of Chiefs of Police supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, basic subscriber information (BSI) from telecommunications providers.



In June 2014, the Supreme Court of Canada issued a decision in the case of R v. Spencer - identifying that subscriber information that allows for the linking of the identity of a person with specific online activity in the context of a criminal investigation engages a high level of informational privacy. However, telecommunications and other service providers (e.g. financial institutions, rental companies) have interpreted the court's findings more broadly, and now demand judicial authorization (based on a reasonable grounds to believe threshold) for nearly all types of government requests for basic identifying information, extending beyond instances involving a person's substantive Internet activity.

The impact of the Spencer ruling and the broader response by telecommunications and other service providers is having a significant impact on law enforcement and criminal investigations. Basic identifying information is often required at the onset of an investigation where technology plays a role, but the judicial threshold required to obtain warrants and general production orders to access basic identifying information is difficult, and often impossible, to satisfy when an investigation is in its early stages.

Moreover, the impact of the Spencer ruling has caused substantial resource and workload challenges for law enforcement. For example, prior to the Spencer ruling, law enforcement agencies would generally complete a voluntary request to telecommunications service providers for basic identifying information in under an hour, and receive a response from service providers within the same day. Following the Spencer ruling, accessing the same information now often requires ten to twenty times the amount of administrative work and documentation, days of preparation to seek judicial authorization, and responses from service providers can take upwards of one month - sometimes exceeding a service provider's data retention schedule for the same information (meaning the information is no longer available).

Criminal investigations impacted by the Spencer ruling are now often delayed and in some cases, not pursued, due to judicial authorization or resource challenges. This impact applies to a range of investigative work, such as cases involving suspected online child sexual exploitation and abuse, fraud and other financially-motivated crimes, organized crime, requests for international law enforcement assistance, and national security matters involving suspected extremism and other threats to Canada - all of which may require basic identifying information from a telecommunications or other service provider to identify potential evidence for criminal investigations and prosecutions.

Transparency Guidelines

Transparency Reporting Guidelines were prepared by Industry Canada, in consultation with RCMP and other relevant Government of Canada partners, to help private organizations be open with their customers, regarding the management and sharing of their personal information with government, while respecting the work of law enforcement, national security agencies, and regulatory authorities. Specifically, the Guidelines cover categories of disclosures for reporting purposes and limitations to consider when reporting statistics. Of note, the Guidelines specify that there should be a six month delay in reporting timeframe to ensure that most active investigations have no possibility of being compromised. On June 30, 2015, the Transparency Reporting Guidelines were published on Industry Canada’s website:

Coordinating Committee of Senior Officials

Recently, a discussion paper, led by Justice, was presented to the Federal, Provincial and Territorial Coordinating Committee of Senior Officials, Cybercrime Working Group. The paper focuses on the impact of Spencer and legislative reform considerations.

Option 1: Create an administrative (non-judicial) scheme for access to Basic Subscriber Information (BSI).

Option 2: Create a new judicial order (production order) for basic subscriber information and/or add BSI to existing production orders.

Option 3: Create a specific production order for some types of basic subscriber information with a greater expectation of privacy, and create a specific administrative (non-judicial) authority for access to other types of basic subscriber information.

Recent Case Law

  • Since the Supreme Court of Canada released its decision in R. v. Spencer in June 2014, case law has started to emerge that applies the analysis in Spencer to other cases involving police requests for BSI.

  • The majority of relevant cases thus far are from Ontario and involve requests for BSI associated to a phone number. The cases have generally found that the privacy interests in BSI associated to a phone number are not the same as the privacy interests in BSI linked to an IP address, and distinguish Spencer on that basis. As such, the Ontario decisions have upheld warrantless requests for BSI associated to phone numbers as they found in the circumstances of each case that there was no expectation of privacy in such information. See: R. v. Morrison (unreported, Ontario Court of Justice, Reasons released on December 17, 2014); R. v. Khan (2014 ONSC 5664); R. v. Latiff (2015 ONSC 1580); R. v. Nurse and Plummer (2014 ONSC 6004).

  • The issue of whether there is a reasonable expectation of privacy in BSI associated to a phone number has also emerged in the context of transmission data recorders warrants (TDRW). These warrants provide judicial authorization to record incoming and outgoing dialed phone numbers. In Ontario, police/Crowns have argued before the Superior Court of Justice that an assistance order is the proper authorization to obtain in conjunction with a TDRW to compel a service provider to provide the BSI associated with the dialed numbers. However, Telus has argued that due to the privacy interests in BSI, as found in Spencer, a general warrant is the proper authorization. Nordheimer J. agreed with the police/Crown and held that Spencer was a decision dealing with the Internet and it did not find that there is always a reasonable expectation of privacy in BSI, but rather it will depend on the circumstances of each case. This is a very recent decision (June 19, 2015), and it will be interesting to see if other jurisdictions follow this reasoning. See H.M.Q. v. TELUS Communications Company, 2015 ONSC 3964.


Action Plan

The CACP Law Amendments Committee will work with the E Crime Committee to develop new legislation that supports the creation of a reasonable law designed to specifically provide law enforcement the ability to obtain, in real-time or near real-time, BSI from telecommunications providers.

The Committee will keep abreast of the ongoing work of the F/P/T Coordinating Committee of Senior Officials, Cyber crime Working Group who is leading the policy development of legislative reform considerations; next meeting schedule in November, 2015.

Requirement to develop an overall government-wide approach to ensure law does not run counter to government objectives or would require major modifications in the future.

Monday, August 17, 2015

Nova Scotia's Cyber-safety Act (hopefully) heading for a Charter challenge

A case I am involved with is hopefully heading to argument on Friday in the Supreme Court of Nova Scotia on whether the province's Cyber-safety Act goes too far in infringing Charter protected speech. There has been a lot of interest in the statute since the former NDP government jammed it through the legislature in the wake of the tragic death of Rehtaeh Parsons. It's my opinion that rather than address a dramatic failing on the part of the police and prosecution service (which the government would have to admit occurred on its watch), the government pulled out the old "there wasn't a law! we need a new law!". The result was a hastily assembled statute, which is more fully described elsewhere on this blog.

The case has been bifurcated, so that on Friday there will be a decision on whether, in the view of the judge, my client should be subject to a "cybersafety protection order" under the Act. Depending on the outcome of that decision, we will argue that the Court should consider the Charter and our arguments that the Cyber-safety Act violates Section 2(b) of the Charter and cannot be saved by Section 1 as a reasonable limitation on freedom of expression. But even if the judge determines that he does not have to consider the Charter, I am sure that this dumpster fire of a statute will face Charter scrutiny sometime soon.

The Halifax Chronicle Herald did a big piece on the story (much larger than I had expected) in the weekend edition of the paper and there's been a lot of other media attention as well, including this interview on CTV Atlantic which summarizes my view.

Here's the Herald article:

Lawyer set to launch charter case against law inspired by Rehtaeh Parsons | The Chronicle Herald

A law inspired by the death of Rehtaeh Parsons could face its first court challenge next week when a Halifax lawyer will attempt to argue it violates charter rights regarding freedom of expression.

The Cyber-safety Act was brought in by the former NDP government in response to a wave of public criticism of the way Rehtaeh’s case was handled. The 17-year-old girl died after attempting suicide in 2013. She accused several boys of raping her while she was drunk and a photo of the alleged sexual assault was widely circulated among her peers.

Within weeks of Rehtaeh’s death, former justice minister Ross Landry was in a Halifax high school unveiling the new legislation. Critics, Halifax lawyer and privacy expert David Fraser being one of the most vocal, say the government’s actions were too fast, too sweeping and did not consider the full implications of such a bill.

Cyberbullying is a real problem, said Fraser, but his argument goes beyond that.

“The issue is, how do you define it and how do you define it in a way that takes into account the fact that people should have freedom of expression to, particularly, speak about matters of public interest?” said the partner with McInnes Cooper.

On Friday, Fraser and his client, Robert Snell, will learn from a judge whether Snell did in fact cyberbully a former business partner as defined by the province’s Cyber-safety Act. Snell had a protection order placed on him by the courts as a result of statements he made online. The order prevents Snell from communicating with Giles Crouch or discussing their disagreement.

Following the judge’s decision, Fraser hopes he will be able to begin arguing that the law breaches Section 2 of the Charter of Rights and Freedoms. The two issues were split following an argument from the attorney general. The government’s view is if the judge finds Snell’s actions were not cyberbullying, there is no reason to address the charter aspect.

Regardless, Fraser is going to court prepared to begin the charter fight.

Laws need to be more nuanced when they approach values protected by the charter, said Fraser. It’s why injecting more context is so important, he said. The legislation doesn’t take into account, for example, the difference between criticism of a public official and hurtful comments directed at a young or vulnerable person, said Fraser.

“I should be able to go on social media and, let’s say, call the premier of a province a liar for not keeping a campaign promise. Now, that may hurt his feelings, may harm his self-esteem, and so that would be cyberbullying. We need to have a way of taking those sort of things into account.”

Fraser isn’t the only person who has issues with the law.

Cara Faith Zwibel at the Canadian Civil Liberties Association said she’s not sure the law is even necessary.

“My inclination would be to take a really hard look at what already exists out there to address these problems, and I think the fact is that there is quite a lot out there already that can; it’s a matter of the will to actually use those tools.”

The serious and damaging kind of cyberbullying could be addressed through existing elements of the Criminal Code that handle harassment, as well as defamation law when the matter concerns reputation, said Zwibel. She shares Fraser’s view that the breadth of the definition of cyberbullying goes too far and also has concerns about the protection orders the CyberSCAN unit can impose, which can include bans on using electronic communication.

“I don’t think it’s a matter of just tweaking the existing legislation,” Zwibel said. “I don’t think there’s been a compelling case made for why it’s necessary.”

The man who has become a leading expert on cyberbullying understands the concerns of Fraser and Zwibel, but Wayne MacKay said there are several broad questions that must be weighed.

A professor at Dalhousie University’s law school, MacKay was the lead on the province’s cyberbullying task force. He said the former government adopted a similar broad definition as was laid out in the task force’s final report. MacKay was not consulted in the drafting of the legislation.

“There’s no question that it does limit freedom of speech, as does hate speech,” he said. “The question is often whether or not it is a reasonable limit in a free and democratic society.”

The main debate will be whether the benefits of the law outweigh the invasions of rights for those who want to exercise free speech, MacKay said. It’s not an easy debate, but he thinks there is reason to believe this is reasonable.

“I think the problem of cyberbullying is a very large and significant one.”

If there is to be a change, MacKay hopes it would be to adjust the definition of cyberbullying rather than just repealing the law.

“To eliminate the law or strike the whole thing down would be quite unfortunate.”

One of the problems with attempting to address the issue through other avenues, said MacKay, is those options aren’t as well known as the new legislation. More importantly, he said, CyberSCAN is a specialized agency focused only on these kind of matters. The unit has a range of remedies at its disposal, from informal meetings with involved parties all the way up to passing the matter on to police for crim-inal charges.

“I think there really isn’t another vehicle at the moment that offers that whole range of possible remedies.”

Although there may be room for clarification and improvement with the legislation, MacKay said judges are developing a fair degree of expertise in “drawing between what is acceptable free speech” and things that aren’t. They can’t ignore the legislation, but they can interpret it and, in so doing, judges can provide the necessary nuance, said MacKay.

The government will only become involved in the matter if the discussion of a charter challenge proceeds.

Provincial officials would not comment outside of the court proceedings. An email from a Justice Department spokesman said the province believes the act is constitutional. In a brief filed with the court, the government notes that “should the protection order be revoked by this court, such a result would remove the need to review the legislation under the charter as the matter would become moot.”

“To argue issues unnecessarily wastes precious judicial resources, does not advance the administration of justice and spends counsel’s time incurring unnecessary costs.”

Fraser, obviously, doesn’t see things that way. Regardless of how the judge rules in the matter of his client, the larger issue of constitutionality needs to be addressed, he said.

“I recognize we need to protect people, particularly vulnerable people, but it should not be at the expense of charter-protected speech. There needs to be a balance, and I don’t see any of that in the legislation as it exists.”

Tuesday, July 28, 2015

Privacy breach class action certified against Government of Canada for medical marijuana breach

In a decision issued on July 27, 2015 but not yet published (but available here as a PDF), the Federal Court of Canada has certified a class action against the Government of Canada for disclosing the personal health information of participants in the "Marihuana Medical Access Program" in a botched mailout that was intended to advise program participants about changes to the regulation, which ironically where said to protect privacy and safety.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error and that it was outside their normal practice, its reaction has consistently been "no harm, no foul".

What's most notable about this decision -- which is consistent with the recent decision in Condon v. Canada -- is that the court certified the plaintiffs' claim under the novel tort of "public disclosure of private facts". This tort is recognized in the United States, but is untested in Canada. It is a part of the four different privacy torts recognized by the Ontario Court of Appeal in Jones v. Tsige.

In March 2015, the Privacy Commissioner of Canada found that Health Canada's breach was a violation of the Privacy Act. At the certification hearing, the Government of Canada argued that the Privacy Commissioner's finding should be enough to satisfy everyone harmed by the breach, but the Court noted that the Commissioner can't award any of the damages sought by the plaintiffs.

Full disclosure: My firm is one of the firms representing the plaintiffs.

From the firms' media release:

Federal Court certifies privacy class action by Medical Marijuana patients against Health Canada


The Federal Court of Canada has certified a class action commenced on behalf of more than 40,000 medical marijuana licensees alleging that Health Canada violated their privacy.

In November 2013, Health Canada sent notices to over 40,000 participants of the Marihuana Medical Access Program (MMAP) to advise of changes to regulations governing the use of medical marijuana in Canada. The notices were delivered in oversized envelopes that had the words “Health Canada - Marihuana Medical Access Program” on the return address, revealing to anyone who saw the envelope that the recipient was licensed to possess or produce medical marihuana for medical purposes. Previously, Health Canada’s mailings to MMAP members were discreet and made no mention of marijuana on the envelopes. Despite the Government of Canada’s acknowledgement of the error, it insists that no one was harmed by the breach.

In March 2015, the Office of the Privacy Commissioner of Canada concluded that Health Canada violated federal privacy laws. However, in the recent certification decision, the Court found that the class action is necessary to provide access to justice because the Privacy Commissioner cannot order the Government of Canada to compensate class members harmed by the breach. The Government has 30 days to appeal the certification decision.

McInnes Cooper, Branch MacMaster LLP, Charney Lawyers, and Sutts Strosberg LLP are jointly representing the plaintiffs in the medical marijuana privacy breach class action filed in the Federal Court against the Government of Canada. The plaintiffs seek damages for breach of contract, breach of confidence, invasion of privacy and Charter violations.

“We are very glad to see this case moving forward. The certification decision means that the Court has agreed that this is an appropriate case for a class action and that allowing all of the class members to proceed in a group is in the interests of justice,” said Ward Branch of Branch MacMaster LLP. “The Government of Canada has fought us at every turn, but have also lost each motion to date. We are hopeful that they will now see the wisdom of sitting down to resolve the issues created by this error.”

“This is not over yet, but the thousands of affected program members should take some comfort that every legal claim we advanced on their behalf has been approved to go forward,” said David Fraser of McInnes Cooper.

“As citizens of this great country, we rely on our government to protect our sensitive personal information from being disclosed and to protect our privacy during all communications. This decision sends a clear message to the government that our Courts consider privacy to be of the utmost importance and expect our government to take its privacy obligations seriously or face the consequences,” said Ted Charney of Charney Lawyers.

“Over one thousand people have registered on our secure website to tell us how the breach affected them. We will continue to pursue justice for those harmed by the breach,” said David Robins of Sutts, Strosberg LLP.

While it is not necessary to “opt in” to participate in the class action, class members are urged to visit the website to obtain updates and to register because the information collected on the secured site will assist class counsel in communicating with class members and moving the case forward. Those who have already registered do not need to re-register but should update their information if their circumstances change or to report further harm suffered from the breach.

- 30 -

About Branch MacMaster LLP

Branch MacMaster LLP is a boutique litigation law firm established in 1998 and located in Vancouver, British Columbia. The firm focuses on class actions, health, insurance, and personal injury. The firm provides responsive, flexible, and cost-effective service to their clientele.

About Charney Lawyers

Charney Lawyers is a Toronto, Ontario firm with an established reputation for excellence in advocacy. The firm is experienced in personal injury, class proceedings, commercial litigation, insurance defence, employment law, medical malpractice, food borne illness, construction law and appeals.

About McInnes Cooper

McInnes Cooper is among the top business and litigation law firms in Canada, with more than 200 lawyers in seven Canadian offices, serving clients across North America and abroad. The firm is a market leader in energy and natural resources, business, litigation, employment, tax, real estate and insurance law. McInnes Cooper is the exclusive member firm in Newfoundland, New Brunswick, Nova Scotia and Prince Edward Island for Lex Mundi – the world’s leading network of independent law firms with in-depth experience in 100+ countries worldwide.

About Sutts Strosberg LLP

Sutts, Strosberg LLP is a nationally recognized law firm committed to excellence in litigation, with offices in Windsor and Toronto. The firm has a special interest in class actions, having represented groups or classes of individuals in every province and territory, and in every level of court, and is experienced in complex civil and commercial disputes, corporate, commercial and financial transactions, medical malpractice cases, personal injury cases, family law and criminal law.

For more information or to request an interview, please contact:

Ashley LeCroy
Manager, Marketing & Communications

For more background, check out these previous posts.

Friday, July 17, 2015

Supreme Court to hear PIPEDA case that left lender out in the cold

The Supreme Court of Canada has granted leave to appeal from the Ontario Court of Appeal decision in Royal Bank of Canada v. Trang, 2014 ONCA 883. This is and will be an important decision about how to deal with certain provisions of the federal privacy law that have an impact on lenders.

On December 9, 2014, the Ontario Court of Appeal decided that the Personal Information Protection and Electronic Documents Act (PIPEDA) prevents a mortgagee from disclosing the mortgagor’s discharge statement to another lender – even when that lender has a judgement against the mortgagor – without either the mortgagor’s express consent or a specific court order. The decision is relevant beyond Ontario because PIPEDA is federal legislation applicable across Canada, and Atlantic Canadian Provinces have legislation analogous to the Ontario legislation.

Scotiabank held a registered first mortgage on the Trang’s Toronto real property. RBC subsequently loaned the Trangs money. They defaulted and RBC obtained a judgment against them. Twice, the Trangs did not appear for their examination in aid of execution. RBC asked Scotiabank for a mortgage discharge statement to facilitate sale of the property. Scotiabank said PIPEDA precludes it from disclosing the statement without the Trangs’ consent. RBC asked the Ontario court for an order compelling Scotiabank to produce the mortgage discharge statement – but a split five-judge panel of the Ontario Court of Appeal refused. The Court did note that RBC could use the usual procedural tools to examine a representative of Scotiabank, though it is unclear to me whether that would result in the discharge statement.

The majority of the Court found that a mortgage discharge statement is personal information, and there was no implied consent on the part of the borrowers to have it disclosed in the circumstances.

It'll be interesting to see where the Supreme Court of Canada falls on this issue.

Wednesday, July 08, 2015

Court of Appeal finds negligence and breach of confidence claims should go forward in privacy class action against the Federal Government

The Federal Court of Appeal in Condon v Canada, 2015 FCA 159 (not yet available on CanLII but here as a Google Drive PDF), has reversed a lower court decision to not certify claims of negligence and breach of confidence in the class action lawsuit that followed the Federal Government's loss of a hard drive containing personal information about 583,000 Canada Student Loan recipients.

The plaintiffs, in Condon v Canada, 2014 FC 250, sought certification under a number of causes of action, including breach of contract, intrusion upon seclusion (invasion of privacy), negligence and breach of confidence. Breach of contract and intrusion upon seclusion do not require damages for an individual to recover, and both of these causes of action were certified. Those that do require damages to succeed, negligence and breach of confidence, were not successful at the certification motion.

The Court of Appeal noted that the proper test for certification is only to review the pleadings and to not inquire into the evidence. Since the plaintiffs had pleaded damages, that should be determinative:

[13] As stated by the Supreme Court, the determination of whether the pleadings disclose a reasonable cause of action is to be based on the assumption that the facts as pleaded are true. This would mean that evidence is not to be submitted at the hearing of the motion. Otherwise, the hearing of the motion could turn into a full hearing on the merits.

[14] In this case, the parties submitted affidavit evidence. In paragraphs 68 and 69 of her reasons the Federal Court Judge noted that:

68 In addition, a summary review of the evidence adduced by both parties leads the Court to the conclusion that the Plaintiffs have not suffered any compensable damages. The Plaintiffs have not been victims of fraud or identity theft, they have spent at most some four hours over the phone seeking status updates from the Minister, they have not availed themselves of any credit monitoring services offered by the credit reporting agencies nor have they availed themselves of the Credit Flag service offered by the Defendant.

69 Nor does the evidence adduced support a claim for increased risk of identity theft in the future. Since the Data Loss, Equifax has produced reports pertaining to the credit files of the 88,548 individuals who availed themselves of the Credit Flag service. These reports show that there had been no increase in the relevant indicia that would be consistent with an increase in criminal activities involving those individuals' Personal Information. The rate of criminal activities registered was not higher than the 3% of the population generally victim of identity theft. Moreover, the Plaintiffs submitted a CBC news article concerning a Class Member who had been a victim of identity theft yet the article noted no proven causal link between the Data Loss and that theft.

[15] It appears that the Federal Court Judge evaluated the evidence in concluding that the Appellants had not suffered any “compensable damages”. The determination of whether the Appellants had a reasonable cause of action in negligence or breach of confidence should have been made based on the facts as pled, not on the evidence adduced in support of the motion.

[22] Reading the Consolidated Statement of Claim with this principle in mind, the Appellants have claimed that they have suffered damages and they have identified the nature of the damages that they are claiming. In particular, the Appellants have claimed special damages for “costs incurred in preventing identity theft” and “out-of-pocket expenses” and, as noted above, it is to be assumed that these costs have been incurred. As a result there was no basis to not include the claims for negligence and breach of confidence as part of the class proceeding.

The Federal Court of Appeal has sent the matter back to the trial level for determination, including the claims for negligence and breach of confidence and to determine the common questions in the class proceeding in relation to those claims.

Canadian government issues "transparency reporting guidelines"

The Canadian federal government has released "Transparency Reporting Guidelines", to provide companies with guidance on reporting law enforcement and national security requests for customer information. Surprisingly, the guidance came from Industry Canada and not Public Safety Canada or the Department of Justice.

What is particularly notable is that the government is strongly advocating for "banding", so it says that companies should not report exact numbers where they are between 1 and 100. Companies who wish to be transparent (which should be all companies) should know that these are guidelines only and there is no basis in law that I am aware of (absent a term in a particular court order) that requires this banding or aggregation.

B. Limitations

When reporting statistics by each of the categories listed in Part A, organizations should respect the following limitations, in order to protect the work of law enforcement, national security, and regulatory agencies

1. As presented in the sample chart below, figures between 0 and 100 should be represented in a band of '0-100' when any figure in column A (Number of Requests) or Column B (Number of Disclosures) is less than 100. In such cases the banding of figures should apply to all columns for that data type whose figure is between 0-100. Any figure over 100 may be represented by its actual number. This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

2. Figures should be aggregated to reflect Canada-wide statistics, and should not differentiate between law enforcement, national security, and regulatory agencies (i.e. there should be no breakdown by geography or specific agency). Moreover, these figures should also be aggregated such that service type and its associated network technology are not distinguishable (i.e. cellular voice services should not be subdivided and reported according to 2G, 3G or 4G/LTE network type, etc.). This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

3. There should be a six month delay in reporting timeframe. For example, if a report covers the period January 1 to December 31, 2014, it should not be released before July 1, 2015. This is to ensure that most active investigations have no possibility of being compromised.

The limitation provisions will ensure that transparency reporting does not impair or compromise national security or criminal investigations, and the safety and security of Canada and its citizens.

These provisions are dynamic and may be subject to change based on sensitive Canadian government operations that necessitate additional or other safeguards, or to keep pace with suspected criminal and unlawful activities that use telecommunications services and related technologies.

Personally, I think that companies should separately report ordinary criminal law enforcement requests and national security requests.

As an aside, I wonder if this means we'll get transparency reporting from Bell Canada, which is the only major Canadian telco to not provide such reporting.

Thursday, June 18, 2015

Digital Privacy Act (Bill S-4) now (partially) in force

Bill S-4, the Digital Privacy Act, which amends PIPEDA, has mostly been proclaimed into force by royal assent.

Notably, the most important part -- breach notification -- depends on regulations that have not been released, so that part is still not effective.

See: New Law to Protect the Personal Information of Canadians Online - Canada News Centre.

New Law to Protect the Personal Information of Canadians Online

Government of Canada's Digital Privacy Act comes into force

June 18, 2015 — Ottawa — Industry Canada

As Canadians increasingly turn to the Internet to conduct their day-to-day activities such as online shopping and banking, they need to have confidence that their personal information is protected. That is why the Government of Canada has enacted the Digital Privacy Act, which modernizes Canada's private sector privacy law. It sets clear rules for how personal information can be collected, used and disclosed.

Today, Industry Minister James Moore announced that the Digital Privacy Act has received Royal Assent and is now law.

Under the Digital Privacy Act:

  • Organizations are required to inform consumers when their personal information has been lost or stolen, ensuring that consumers can act to protect themselves when they shop online. Companies that cover up a data breach, or that deliberately fail to notify affected individuals and the Privacy Commissioner, could face fines of up to $100,000.
  • Companies need to use clear, simple language when communicating to ensure that vulnerable Canadians, particularly children, fully understand the potential consequences of providing their personal information online.
    Common sense changes are being made that recognize the need for businesses to use personal information to conduct normal everyday activities. Barriers are also being removed to enable the sharing of information when it is in the public interest, such as to detect financial abuse or to communicate with the parents of an injured child.
  • The Privacy Commissioner of Canada has improved powers to enforce compliance, making the Office of the Privacy Commissioner more flexible and effective in protecting the rights of Canadians in the changing digital world.
Quick facts
  • Ensuring Canadians are protected online is a key element of Digital Canada 150, the Government's plan to take full advantage of the economic opportunities of the digital age.
  • All new measures under the Digital Privacy Act are now in force, except for the data breach requirements. The data breach rules will come into force once regulations outlining data breach requirements are completed. The government will work closely with stakeholders and the Office of the Privacy Commissioner in developing the regulations.

"The Digital Privacy Act will protect the personal information of Canadians online. It will hold companies to account when Canadians' personal information has been lost or stolen and it will also give the Privacy Commissioner new powers to help enforce the law. Canadians need to have confidence that their online transactions are secure, their privacy is protected and their families are safe from online threats." – James Moore, Minister of Industry

"Breach notification and voluntary compliance agreements will strengthen the framework that protects the privacy of Canadians. Breach reporting requirements will act as an incentive for businesses to take the security of personal information even more seriously and will also allow individuals to take steps to protect themselves following a breach." – Daniel Therrien, Privacy Commissioner of Canada

Friday, May 01, 2015

In the absence of actual harm, privacy cases are hardly worth pursuing

Continuing the theme of "don't bother unless you have actual losses ..."

In Albayate v. Bank of Montreal, 2015 BCSC 695, the plaintiff claimed against her bank for wrongly changing the address on their records and thus exposing her financial info to her former spouse. In short, the court found the bank mistakenly changed her address but the husband did not read her statement. He did not use them to her detriment. The bank apologized. End of story.

Her damages were assessed at a nominal $2000.

Wednesday, April 29, 2015

Canadian Government on Copyright Notice Flood: "It's Not a Notice-and-Settlement Regime" via @mgeist

from Twitter

Monday, April 27, 2015

Canadian Privacy iAMA on Reddit

PrivaSecTech is hosting an AMA (“ Ask me anything “) on Reddit which will feature some of Canada’s top privacy professionals. On Friday May 1st from 17:00 - 20:00 AT / 15:00-19:00 ET / 12:00-16:00 PT, the team will be on hand to answer all of your privacy-related questions. Bring all of your interesting legal, policy, and technical questions as they apply to your organization or to yourself as a Canadian.

The team:

Micheal Vonn – The BCCLA’s own Policy Director, a specialist in privacy, national security, policing, surveillance and free speech.

Kris Constable – Senior Advisor & Consulting Privacy Officer at PrivaSecTech. Kris advises, trains, and audits organizations that prioritize the privacy of their users. Twitter: @cqwww

Andrew Clement – Professor in the faculty of Information, University of Toronto researching surveillance and privacy. He leads the internet surveillance mapping project and recently initiated the Snowden Surveillance Archive .

John Wunderlich – Independent privacy consultant and researcher. You can follow him on Twitter @PrivacyCDN or find him at .

Sara Levine – A specialist in privacy, freedom of information and health law, serving clients in the business, regulatory, non-profit, education and health sectors. Sara is committed to public education around privacy and freedom of information issues, and regularly speaks to groups interested in privacy rights and obligations in BC.

David T.S. Fraser – A Canadian privacy lawyer and partner with the firm of McInnes Cooper . He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

You will need an account on Reddit to participate. On the afternoon of May 1st, join the Canadian Privacy iAMA thread, and ask your question(s)! Visit PrivaSecTech’s event page for the link to the Reddit iAMA, which will be posted as soon as it is active!

In the interim, check out r/privacy and newly formed r/privacylaw .