Sunday, March 27, 2022

Video: Canada - US announce beginning of CLOUD Act negotiations


Today, I’m going to be talking about the newly announced “CLOUD Act” agreement negotiation process between Canada and the US to facilitate cross-border law enforcement investigations.

This is just beginning, so I’ll necessarily be doing some speculating.

This week, the United States Department of Justice announced that the governments of the US and Canada are currently negotiating an agreement under the CLOUD Act to facilitate cross-border law enforcement investigations.

This is a big deal. This will mean that Canadian police can use Canadian court orders to get evidence in the US, and American search warrants can be served on Canadians.

It is intended to be a solution to an issue that affects law enforcement in both countries who want evidence that is on the other side of the border.

Every country has absolute sovereignty over what happens in their territory

No “sovereign” can do anything in another sovereign’s territory without permission or invitation.

Canadian enforcement powers end – abruptly – at the border. A criminal court can’t order anyone outside of its jurisdiction to do anything, including the production of records.

It’s reciprocal: foreign states can’t extend their law enforcement into Canada without permission or invitation.

As it currently stands, a US search warrant has no effect in Canada. A Canadian production order has no effect in the US. Canadian law ends at the border, as does American law.

The Criminal Code does not authorize the issuance of a production order directed at a person or entity outside of Canada.

(It is important to remember that there’s a big difference between civil lawsuits and criminal investigations.)

Notice I said “without permission or invitation”. To provide that permission, countries have often entered into mutual legal assistance treaties with one another. If you’re investigating something in our country and some evidence is in our country, tell us about it and maybe we’ll assist you in getting it. I’ll discuss this a bit more later.

The reality is that most reputable US service providers will provide information to Canadian law enforcement under a Canadian production order, as long as they can do so without risking a violation of US law.

For example, in the first half of 2021, Twitter reports that it received 56 information requests about 63 accounts and it complied with 45% of them.

During the same time, Meta/Facebook reports it received 1,110 “legal process requests” from Canada and complied with 82% of the requests it received.

As I said, a Canadian production order doesn’t really have any effect in the US. But they generally do follow them, voluntarily, when they can.

Currently, a US privacy law called the Stored Communications Act prevents certain service providers from providing certain categories of data except with a qualifying US warrant. This annoys a lot of Canadian investigators, who have to go through formalities under the Mutual Legal Assistance Treaty between the two countries in order to get a US qualifying warrant.

A CLOUD Act agreement would remove that barrier and permit most US warrants for records and information to have effect in Canada. It is reciprocal, so Canadian law enforcement can get court orders in Canada for records that are in the custody of American service providers.

What is the CLOUD Act?

The CLOUD Act, or “Clarifying Lawful Overseas Use of Data Act”, was enacted in 2018. At the time, it got a lot of attention because it rendered moot a very high profile case in which US law enforcement was looking for data stored by Microsoft in one of their data centres in Ireland. Microsoft sensibly resisted the order, saying that US law did not extend to data that was outside of the US.

The case finally found its way to the Supreme Court of the United States, but before a decision was rendered, the US enacted the CLOUD Act that made it clear that a US warrant could compel US companies to provide stored data for a customer or subscriber on any server they own and operate, regardless where it is located, when demanded by warrant. The CLOUD Act also has a mechanism to challenge the warrant if they believe the request violates the privacy rights of the foreign country the data is stored in.

What the CLOUD Act also does is create a framework by which the US government can negotiate agreements with other governments for mutual recognition of the other country’s legal processes, subject to limitations set out in the agreement.

Before coming into effect, the bilateral or multi-lateral agreement needs to be put before the US congress, and the US Attorney General has to certify that the partner country has robust substantive and procedural protections for privacy and civil liberties.

The US has already negotiated such an agreement with the United Kingdom and Australia. Now it’s Canada’s turn.

This will be welcome news to Canadian law enforcement, who regularly seek evidence from US-based technology companies but sometimes find themselves hampered by a number of factors. In fact, Canadian law enforcement lobbying groups like the Canadian Association of Chiefs of Police have been pushing hard to get Canada to negotiate a CLOUD Act agreement with the United States.

Mutual Legal Assistance

There has for some time been a mutual legal assistance treaty between Canada and the United States, which provides a government-to-government pathway for law enforcement in Canada to obtain access to information in the United States. It is a two-way street, which similarly provides American law enforcement with access to Canadian data.

Without an agreement like the MLAT, carrying out searches on foreign territory violates international law and sovereignty.

The mutual legal assistance process has been said to be cumbersome and time-consuming, mainly because all requests from Canadian law enforcement are routed through the department of Justice Canada in Ottawa, who then sends a request to the United States Department of Justice. Both of these entities review the request and there is an element of discretion on the part of the receiving government as to whether or not they wish to process it. Assuming it is OK with the Canadian and US central authorities, a lawyer from the US Department of Justice seeks an order from the United States Federal Court that is addressed to the service provider, requiring them to provide the data to the US DOJ, which then sends the data to the Canadian DOJ and then to the law enforcement agency.

A key part of this process is the review and approval by the central authorities in each country. They ask “does this fit within the treaty?” “Does it meet the legal thresholds?” “Is it appropriately tailored – not too broad?” “Is it consistent with our laws and values?” “Does it implicate any of our own domestic interests?”

Canadian law enforcement generally would prefer to avoid this, and have tried to do so by seeking production orders in Canadian courts that name US based service providers.

The Canadian Criminal Code does not authorize the service of production orders outside of Canada, mainly because a Canadian court does not have jurisdiction over someone who is not in Canada. Some Courts simply will not issue these orders, but more are issuing these sorts of orders after a decision from the British Columbia Court of appeal called Brecknell. For a bunch of reasons, I think that decision is wrongly decided but for more information on that you can read my case comment.

In my experience, most US service providers will provide data in response to Canadian Court orders, but they are prohibited under US criminal law from providing the content of any communications except with a qualifying US warrant. That can be obtained through the MLAT process, but a “qualifying US warrant” is not available from a Canadian court.

A few years ago, I was involved in a case on behalf of an American company where a Canadian law enforcement agency sought and obtained a production order that would have required the US company to violate American law. The case ultimately became moot before it went to a hearing, so there's no written decision I can point you to. But it was clear that the attempt to do so was out of frustration with the mutual legal assistance process and the perception of the time it takes. In reality, urgent orders can be turned around quite quickly and the average turnaround time is around 2 months.

The process we have ahead likely looks like this: it will take some time to negotiate the agreement between Canada and the US. It is not “one size fits all”. Once the agreement is negotiated, it will have to go to the US congress – a process that is at least six months. And Canada would have to amend a bunch of laws before it can go into effect.

What to expect

So what would implementing a CLOUD Act agreement look like on the Canadian side of the border? I would only be speculating, because we don't have a final agreement to look at, but a number of laws would have to be amended.

For example, all of our existing privacy laws in Canada prohibit the disclosure of personal information or personal health information except to comply with a warrant, production order, court order or where required by law. Currently, that would be read as we're required by Canadian federal or provincial law. Or under a Canadian court order.

Complying with a US order would not fit within that. Those barriers would need to be taken down, or a new law would need to be passed so that these American orders could be complied with in Canada.

I don't think making US orders mandatory in Canada is how it would likely play out. On the American side of the border, the CLOUD Act does not make foreign orders mandatory in the United states. What it did was take down the barriers, mainly in the Stored Communications Act, that prevented US-based companies from disclosing certain categories of information. In order to be truly reciprocal, Canadian laws would need to be amended to permit disclosures to US law enforcement in response to a US court order or subpoena.

This is where I think things will get a little bit controversial in Canada. After all, two provinces went so far as to prohibit personal information from being stored outside of Canada or being accessed from outside of Canada because of an overblown concern about the USA PATRIOT act. In some instances, it is an offense to disclose personal information in response to a “foreign demand for disclosure”. All that would have to change, and I think that will attract some interesting responses.

At the end of the day, it makes sense that Canadian police should be able to go to a Canadian judge to get an order for access to information about Canadian suspects of a crime that took place in Canada.

It also makes sense that American police should be able to go to an American judge to get an order for access to information about American suspects of a crime that took place in the US.

The CLOUD Act agreements with the UK and Australia provide some idea about the guardrails that should be included in an agreement with Canada.

First, it should be limited to serious crimes and not triviality or just administrative and regulatory tribunals.

Second, it should not permit one country to investigate the citizens or residents of the other country. It should be limited to Canadian authorities investigating Canadian crimes, or American authorities investigating American crimes.

Third, there would be a mechanism by which either country gets to say for a particular request that the agreement would not apply in that instance.

Fourth, there should be a mechanism by which a company that receives a legal process to challenge it.

As a final note, when this progresses and we see what the agreement looks like, Canadians should be very careful to make sure that it is not used to further the Canadian so-called “lawful access” agenda that has been pursued for years and years by Canadian law enforcement. In particular, Canadian law enforcement have been trying to get the laws amended so they can get warrantless access to personal information.

Monday, March 21, 2022

Video: Privacy laws and the media (Part 1)


Today, I’m going to be talking about privacy rights and freedom of expression in Canada. Specifically, I’m going to be talking about privacy and news reporting.

This is a pretty big topic that could fill an entire course at both law school and journalism school, but I’m hoping to provide an overview of the significant laws and principles at play.

Charter

Most of us would be familiar with the idea of freedom of expression or freedom of the press.

In Canada, it is guaranteed in section 2(b) of our Charter of Rights and Freedoms under the heading of “Fundamental Freedoms”.

This section reads:

“Everyone has the following fundamental freedoms: (b) freedom of thought, belief, opinion and expression, including freedom of the press and other media of communication;”

In Canada, we regularly talk about freedom of expression, which is guaranteed to everyone. It does include “freedom of the press.”

Charter s. 1

In understanding how section 2(b) works, we also have to understand that it is not absolute. The freedom of expression guarantee is subject to section 1 of the Charter, which allows some limitations on Charter guaranteed rights.

Section one says:

“The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.”

Let’s break that down. Charter guaranteed rights can be subject only to “reasonable limits”, that are “prescribed by law” that have to be demonstrably justified in a free and democratic society.

It is always up to the government to justify these limitations.

It is important to note that freedom of expression not only includes the right to express oneself, but the courts have found that it includes a right to receive information. Limiting a journalist’s right to report on something also limits the public’s right to receive that reporting.

The Oakes test

The Supreme Court of Canada has given us the test for how to determine if an infringement of a Charter right can be justified under section 1. This is called the Oakes test, from a 1986 decision of the Supreme Court.

This also could be its own law school course, but in summary here it is:

First the limitation has to be “prescribed by law”. That’s right from section one. It can be a federal or provincial statute. It can be a regulation or a by-law. But it can’t be a whim of a state actor. It has to be rooted in the law. In some cases, the law could be so vague that it does not qualify as prescribed by law.

Second, the objective of the law has to be pressing and substantial. The courts will not permit Charter rights to be infringed for trivial objectives, so the law has to be for an important purpose.

Third, the impact on the Charter right has to be proportional. This has three parts:

The means chosen by the legislature to address these objectives must be rationally connected to the objective.

In doing so, the measures need to minimally intrude on the impairment of the rights at issue.

Finally, there must be proportionality between the infringement and objective. This is a final balancing step.

In order for an infringement of a Charter right to be justified, the government has to satisfy all parts of this test. If it fails one part, its justification fails.

The Common law

The Oakes test is only used for limitations that are prescribed by law, and something different is done for the common law. The common law is that substantial portion of our laws that are judge made and a bit more fluid.

Many of the privacy claims that I’ll be talking about are “common law”, including “intrusion upon seclusion” and “public disclosure of private facts”. These aren’t subject, strictly speaking, to the Charter.

The Charter limits what governments can do, how our parliament can legislate. The Common law isn’t generally a government imposing limits on what people can do, but most usually regulate what legal claims one person can have against another.

But the Supreme Court has said that the Common law needs to evolve in line with Charter principles and Charter values. For example, in a 2009 case called Grant v Torstar, the Supreme Court of Canada said that the common law of defamation needed to include a defence of “responsible communication on a matter of public interest” to take into account freedom of expression.

The protection of reputation was an important value that had to be balanced against the important right of freedom of expression.

Privacy statutes

So, is the press subject to privacy statutes like the federal Personal Information Protection and Electronic Documents Act or the BC and Alberta Personal Information Protection Acts?

Generally speaking, when engaged in journalism, they are not subject to these laws.

To do otherwise would be unworkable: journalists would have to get consent from politicians before reporting about them, whether it is favourable or critical. That would be a significant intrusion into freedom of expression.

As a result, all three of these laws specifically exclude all collection, use and disclosure that is exclusively for journalistic purposes.

Here is what PIPEDA says…

4(2) This Part does not apply to …
(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Alberta PIPA

Here is what Alberta’s PIPA says …

4(3) This Act does not apply to the following: …
the collection, use or disclosure of personal information, other than personal employee information that is collected, used or disclosed pursuant to section 15, 18 or 21, if the collection, use or disclosure, as the case may be, is for journalistic purposes and for no other purpose;

Common law claims

But journalists are subject to the common law, like defamation, and could be subject to common law privacy claims.

I am not aware of any cases where a journalist has been sued for “intrusion upon seclusion” or “public disclosure of embarrassing private facts” in Canada. If one were to be sued, the Court would have to take into account freedom of expression.

Public disclosure of private facts

This tort says that one who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of privacy if the matter publicized or the act of the publication (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public.

Note it includes the “not of legitimate concern to the public.” So a lack of public interest is an important element of the tort, and proving public interest would overturn the claim.

Intrusion upon seclusion

In this tort, a person can sue another for an intentional (or reckless) intrusion into the private affairs of another without lawful justification, and that intrusion must be highly offensive to a reasonable person, causing distress, humiliation or anguish.

This tort was introduced into Canada in 2012 from the United States, and may be subject to some refining. It may well be that a court would have to read in the public interest factors that exist in the public disclosure tort in order to be consistent with the freedom of expression right in a case involving legitimate news reporting. Freedom of expression also includes the information gathering stage of reporting.

(You may have noticed that “public interest” came up in my discussion of the defamation defence created in Grant v Torstar and also in the public disclosure tort. Public interest in reporting is important.)

Privacy Act (BC)

Some provinces, like British Columbia, have statutory torts of invasion of privacy. They also use “public interest” to provide a defence. Here’s the wording from BC:

1 (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.
(2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.

Which could include news reporting.

(3) In determining whether the act or conduct of a person is a violation of another's privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties.

This last part would very likely take into account whether the intrusion were done by a journalist pursuing a story in the public interest.

The statute also specifically includes a defence for “Publications in the public interest or comment on a matter of public interest”.

But it is notable that this only extends to the publication, and not the collection of information leading to the publication.

Interception

We also have criminal laws that are designed to protect privacy.

For example, we have a wiretapping law that makes it an offence to intercept a private communications. It does not include a public interest defence and I suppose it could be challenged if a reporter was engaged in wiretapping or eavesdropping as part of a story.

But just because it could be challenged, doesn’t mean it would necessarily be successful. It may well be that a court would say that any restriction on freedom of expression is justified, and everyone’s interest in being free from having their conversations overheard or phones tapped outweighs any impact on freedom of expression.

Voyeurism

We also have an offence of voyeurism, which includes a specific “public good” defence, which reads:

“(6) No person shall be convicted of an offence under this section if the acts that are alleged to constitute the offence serve the public good and do not extend beyond what serves the public good.”

It is hard to imagine a hypothetical scenario where a member of the press may be engaged in voyeurism and to use the public good defence, but it is there. And the legitimate information of the public on a matter of public interest would arguably be for the public good.

Conclusion

In Canada, freedom of expression and freedom of the press are important values. They are rights that are baked into our constitution and all laws in Canada that affect expression or the ability of the media to do their jobs have to be justified.

This includes privacy laws, which may be engaged every time a reporter is looking into the private affairs or the private life of a subject.

Thankfully, to take account of freedom of the press, journalists and journalistic purposes are specifically excluded from the application of our general privacy laws, which require individual consent for all collection, use and disclosure of personal information.

So what we’re left with are the general rules in the common law and statutes that regulate very problematic intrusions into privacy. On one hand, we have the general common law and statutes related to invasions of privacy. While they haven’t been tested in the context of journalism, they do take freedom of the press into account.

Similarly, we have laws that criminalize wiretapping and voyeurism, which could be subject to challenge related to possible impacts on freedom of the press, but these guardrails are likely justifiable under section 1 of our Charter.

Monday, March 14, 2022

Video: Home surveillance cameras

In my legal practice, I exclusively advise businesses on matters related to privacy and technology law. But I am sometimes asked by individuals about the use of home surveillance cameras. Because of advances in technology and low cost, they’re everywhere. The rise of home delivery has led to porch pirates who steal packages, and people want to deter that or to try to catch porch pirates in the act.

If you keep an eye out walking down a suburban street, you’ll often see them. Doorbell cameras are very popular, but so are other cameras.

The purpose of this discussion is to review the laws that do and do not apply to individuals who use these devices on their own private property. At least in this discussion, I’m not going to talk about the laws as they may apply to companies that provide these services used by individuals.

Different rules

Many people are familiar with privacy regulations like the Personal Information Protection and Electronic Documents Act or the provincial Freedom of Information and Protection of Privacy Acts.

Businesses are regulated by commercial privacy laws, whether federal or provincial.

Government and police are regulated by public sector privacy laws.

But the personal and “domestic” collection of personal information is unregulated in Canada.

General privacy regulations do not apply

Commercial privacy regulations do not apply to private individuals collecting, using or disclosing personal information for their own personal purposes.

For example, the Personal Information Protection and Electronic Documents Act, known as PIPEDA, only applies to the collection, use and disclosure of personal information in the course of commercial activity.

And just to be more clear, paragraph 4(2)(b) of that Act excludes personal or domestic purposes:

It says This Part does not apply to …

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose;

If you are collecting personal information – which includes video and images that include a person – only for personal or domestic purposes, that is excluded from the Act.

The Personal Information Acts of British Columbia and Alberta are very similar.

For example, paragraph 3(2)(a) has an exclusion that is very similar to PIPEDA’s.

“This Act does not apply to the following: (a) the collection, use or disclosure of personal information, if the collection, use or disclosure is for the personal or domestic purposes of the individual who is collecting, using or disclosing the personal information and for no other purpose;”

Other “Privacy” laws

Just because this activity is not captured by our general privacy laws, other laws may apply.

Our Criminal Code includes offences for voyeurism and the interception of private communications.

Voyeurism

The crime of voyeurism was added to the Criminal Code relatively recently.

It involves surreptitiously observing or recording a person where there is a reasonable expectation of privacy.

Paragraph (a) makes it an offence to observe or record in a place in which a person can reasonably be expected to be nude … or to be engaged in explicit sexual activity.

Paragraph (b) makes it an offence where the recording or observing is done for the purpose of observing or recording a person in such a state or engaged in such an activity.

Paragraph (c) covers a broader range of observation or recording, but where it is done for a sexual purpose.

People should be aware that the courts have held you can have a reasonable expectation of privacy in a relatively public place and that the expectation of privacy can vary according to the method of observation. For example, you may not have much of an expectation of privacy with regard to being observed by someone at eye level, but you may have a protected expectation of privacy from being observed or recorded up a person’s dress or from above to look down their top.

Don’t point a camera where someone has a reasonable expectation of privacy.

This would include pointing at a neighbour’s windows, fenced back yards, pool, hot tub, etc.

Interception of private communications

Audio recording is particularly hazardous in Canada.

Using a device to knowingly intercept a private communication can be a very serious offence in Canada.

If your camera can record audio, don’t put it where it might record a private communication or disable that feature. And be careful.

You may have a camera on your fence-post that is exclusively pointed at your property, but it may capture private conversations among your neighbours on the other side of the fence.

Consent is a defence to a charge under this section, but it’s unclear if signage can create adequate consent.

Other privacy laws

In addition to the criminal law, people should also be mindful of the laws where you can be sued.

This includes the law of nuisance, the law of trespass, and privacy claims under “intrusion upon seclusion” and some provincial privacy statutes.

Nuisance

Nuisance is a very old, and well established legal claim. It boils down to “unreasonable interference with the ordinary enjoyment of property.”

A lot of traditional, old nuisance claims relate to noises, bad smells, smoke and things like that, but we are starting to see cases where people claim that someone’s use of surveillance cameras is interfering with their enjoyment of their own property.

The case of Suzuki and Monroe from the British Columbia Supreme Court in 2009 is instructive.

In this case, the Suzukis sued the Monroes for having a loud air conditioner and for having a surveillance camera that included part of the Suzuki property. In finding in favour of the plaintiffs, the judge wrote:

“I have no doubt that a surveillance camera continuously observing the entrance areas to a neighbouring property, or any part thereof, in these circumstances, is an intolerable interference with the use and enjoyment of the neighbouring property…

No useful purpose of any kind is served by having the camera directed at any part of the Suzuki property.

I am forced to conclude that the Munroes installed the camera and refused to remove or redirect it at least in part in order to provoke and annoy the Suzukis.

Acts done with the intention of annoying a neighbour and actually causing annoyance will be a nuisance, although the same amount of annoyance would not be a nuisance if done in the ordinary and reasonable use of the property….”

It is important to note that the judge said the use of cameras was not really necessary for any legitimate purposes of the defendants. If it had been legit, it might not have been found to be a nuisance.

We’ll talk about another, similar BC case in a bit.

Trespassing

Trespassing is unlawful. It can be a criminal offence, a provincial offence or someting you can sue someone for.

Don’t enter a neigbhour’s property to install or locate a camera without their permission. Putting a camera physically on a property that is not yours without permission is also unlawful.

Intrusion upon seclusion

In addition to the more traditional torts that I just mentioned, we are seeing more pure privacy claims.

In most common law provinces, you can sue or be sued for “intrusion upon seclusion”.

It is, in summary “an intentional or reckless intrusion, without lawful justification, into the plaintiff's private affairs or concerns that would be highly offensive to a reasonable person.”

If you poke into someone’s private life in a way that would be highly offensive, harm and damages are presumed.

Statutory torts

Some provinces have what are called statutory torts of invasion of privacy.

Here is the gist of the British Columbia Privacy Act.

1(1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

This means that the plaintiff doesn’t have to prove they were actually harmed. That is presumed.

Note the violation has to be without a claim of right or legitimate justification.

It then goes on and says …

(2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.

(3) In determining whether the act or conduct of a person is a violation of another's privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties.

Note it specifically refers to eavesdropping and surveillance in subsection (4), which reads:

(4) Without limiting subsections (1) to (3), privacy may be violated by eavesdropping or surveillance, whether or not accomplished by trespass.

For the use of home surveillance cameras to protect your private property, paragraph 2(2)(b) is important:

2(2) An act or conduct is not a violation of privacy if any of the following applies:

(b) the act or conduct was incidental to the exercise of a lawful right of defence of person or property; …

Let’s see how that plays out in practice.

This specifically came up in another British Columbia case called Minicucci and Liu, a 2021 decision from the British Columbia Supreme Court.

This was another dispute between neighbours.

For backyard privacy, the plaintiff planted eight 25-foot cedars and twenty 10-foot cedars along the property line. This is the property line between the parties’ homes. The plaintiffs had a pool in their backyard, and the defendants had one as well.

Sometime later, the defendants asked the plaintiffs to “top” the trees because they were interfering with the defendants’ view. The plaintiffs refused.

Sometime later, while the plaintiff was away from their home, the defendant topped numerous of the cedar trees.

The plaintiff installed cameras pointed at the trees, and the camera also could see into the defendant’s backyard.

So the plaintiff sued the defendants seeking damages and injunctive relief for trespass and damage to the cedar trees.

The defendants filed a counterclaim seeking damages from the plaintiff for nuisance and for invasion of privacy by the camera.

The defendant’s privacy claim was dismissed because the use and location of the cameras was justified. Capturing a portion of the defendant’s backyard was incidental and the camera had been installed because of the defendant’s trespass and topping their trees.

The court also noted that it would not have been possible to record the trees without incidentally including some of the backyard.

Other rules - Condo rules

In some cases, there may be other rules that affect whether or how someone can install surveillance cameras.

In a 2022 Alberta court case called Lupuliak and Condo Plan 82111689, the Court of Queen’s bench found against a condo owner because the installation of a doorbell camera on the person’s door violated the condo rules. A similar camera that had been installed on the person’s patio was found not to be an issue.

Other rules - Leases

If you’re a tenant, you would want to check your lease or check with your landlord before installing any device outside your leased space. This would also include your door.

Purely public places

Many cameras that people install to observe their front doors or driveways will also include coverage of public spaces like sidewalks and roads.

There’s a diminished expectation of privacy in a completely public space like a road or a sidewalk.

However, expectation of privacy is not binary but is more nuanced.

If it came up, the courts will likely do a balancing test: is your legitimate need to use the device proportionate to the intrusion for others?

What if police ask for your footage?

Since most people use home surveillance cameras to deter or detect criminal activity, it’s worth asking what to do if the police ask for your footage.

With the increasing adoption of the devices, police are more commonly doing a video or CCTV canvas as part of their investigations. This involves going around the area to see if there are any cameras that may have captured something that can further their investigation.

So if the police come knocking looking for footage from your camera, what should you do?

Unlike businesses that are subject to general privacy regulations, you can give them footage without a warrant or a court order. That doesn’t mean you have to. It’s entirely up to you, unless they have something called a production order, which requires you to provide it.

Personally, I would ask them what they’re investigating and I’d decide whether to hand it over on that basis.

And if you are dealing with the police to report a crime and your cameras captured anything relevant, you can feel free to hand it over.

Best practices

So at the end of the day, what are the best practices?

In short, don’t be an idiot.

Be a good neighbour and minimise any recording of anything that is not your own property.

Let people – residents and visitors – know what’s going on. Talk to your neighbours and put up signs. Your neighbour may actually appreciate that you have cameras.

Certainly, don’t point it at any place you’d expect people to be nude or doing “things”

Think about what you’re actually using the cameras for and adjust your settings accordingly. If you are concerned about prowlers at night or someone on your property when you’re not at home, some of these more advanced cameras can be set to only record at night or when you’re not at home.

Takeaways

Remember that though an individual in their private capacity is outside the usual privacy regulations, other laws and rules can still apply.

Respect your neighbours and their privacy interests

Monday, March 07, 2022

Video: Individual access requests under PIPEDA

New on my YouTube Channel.

Intro

Today I am going to be speaking about individual personal information access requests. If you're from Europe, you probably have heard the term data subject access requests, which is essentially the same concept.

This is where an individual gets to ask a business what information they have about them, expects a copy of it and perhaps disputes its accuracy.

I remember when our federal privacy law was being debated and phased in, many businesses were concerned they would be overrun with individual access requests. They were particularly concerned with frivolous or vexatious ones. We really haven’t seen that in practice.

But the right exists and any organization that does business in Canada needs to know about it and should be able to manage it.

Today, I am only going to be talking about Canada's personal information protection and electronic documents act. This law includes a general rule that individuals have an access right. Like most rules, this is not absolute and there are some exceptions. I plan to cover many of these exceptions in this discussion.

While this discussion is limited to Canada's personal information protection and electronic documents act, you should probably know that every single Canadian privacy law includes an access right.

Most of our public sector laws are divided between freedom of information and protection of privacy. In the federal public sector, there is a separate Privacy Act and an Access to Information Act. Many provinces also have health privacy laws, all of which include an individual access right.

Though I am talking about the federal private sector law, you should know that some of the details can differ from law to law.

If you have followed any of these discussions, you will know that the Personal Information Protection and Electronic Documents Act is weird. This federal law is based on the general principles of the Canadian Standards Association Model Code for the Protection of Personal Information. In fact, this standard of Canada is appended as a schedule to the law.

If you read it, you will see that it is written as a general list of principles, not like most of our laws. The general rules are in the schedule but there are exceptions in the body of the statute. The body of the law and the Schedule have to be read together.

The General Principle of Access

So we will be looking at Principle 9 from the CSA Model Code and then sections 8 through 10 of the Act.

Of course, we have to start with the general rule of access. This is in Principle 9, entitled “individual access”. It says…

“Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.”

This talks about access to the information itself. It also refers to access to information about how it has been used. And the individual also gets to challenge the accuracy and completeness of that information.

There are some sub-principles that elaborate on this. Sub principle 9.1 says…

“9.1 Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. … In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.”

The business should answer the question about whether they even have information about the individual, and should be able to tell them where that information came from.

They also should be able to tell the individual how that information has been used and to whom it has been disclosed. Businesses are sometimes surprised to discover that they have to keep information about their information in order to satisfy this requirement.

Because a business cannot disclose personal information about somebody without their consent, and the information contained in an individual access request is pretty all-encompassing, it makes sense that the business can require the individual to prove that they are the person they purport to be. It also makes sense that the individual should cooperate in helping the business identify what information may be about them.

That includes “how do we know you are who you say you are?” And “where should we look to find information about you?”

Information provided in that particular context can only be used for that purpose.

To whom has the information been disclosed?

I mentioned that businesses have to keep information about their information. In sub-principle 9.3, individual access rights include a right to know to whom a person’s personal information may have been disclosed. The principle reads:

“9.3 In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.”

At the end of the day, organizations need to know where the data they control goes and need to be able to tell people when they ask.

Timelines to respond

The timelines to respond are a good example of the difference between the very general language of the principles and some of the specifics in the statute. The sub-principle 9. 3 says it has to be provided “within a reasonable time”. We’ll see when we flip to section 8 that that really means no later than 30 days in most cases.

The sub-principle also says it has to be at minimal or no cost to the individual.

My general advice is to not charge people for this. But there are cases where individuals will repeatedly make requests and there is no mechanism to say “no” to frivolous or vexatious requests. Attaching a cost may make sense. For example, in any twelve month period the first request is free.

I think Google had the right idea when it started providing users with the ability to download their account information. A self-serve individual access right. Since then, many large data driven companies have followed suit allowing individuals to easily access their own data for free.

This sub-principle also says “The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.”

This makes sense. If a person can’t parse a JSON file or decipher technical abbreviations, the person really isn’t able to access the information. I know of some healthcare providers who will provide a nurse or a records clerk to walk through the records with a patient who asks for it.

Finally, you’ll note that this doesn’t go so far as to give a “data portability” right. We expect this to be added when PIPEDA is updated in the coming year or so.

Disputes about accuracy

PIPEDA contains an accuracy principle, which requires that “Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.”

The individual has the right to dispute the accuracy of any personal information a company may have, and sub-principles 9.5 and 9.6 address how this is to be dealt with. It is pretty straightforward:

“9.5 When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.”

But what happens if the company doesn’t agree that the information is inaccurate? Sub-principle 9.6 addresses this:

9.6 When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

How to make a request

So those are the relevant provisions in the Schedule from the CSA Model Code. Let’s now turn to some of the specifics in the body of the statute itself.

Subsection (1) of Section 8 of PIPEDA says that these requests have to be in writing. This can, of course, be electronic. Note that the wording says “must”. This implies that a request that is not in writing doesn’t trigger the formalities of the Act, but can still be responded to.

Duty to assist

Subsection (2) of Section 8 places an obligation on the organization to assist the individual to make a request if they say they need help.

This makes sense.

Timing

I mentioned earlier that the general language about timing in the principles is firmed up in the body of the statute. Specifically, it says “An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.”

Extension of time limit

This isn’t absolute, however. In some cases, the organization can extend the time but has to let the individual know about the extension, the reason for it and of their right to complain to the Privacy Commissioner.

The first circumstance is if “meeting the time limit would unreasonably interfere with the activities of the organization”.

This would be if the request is complex or would require a lot of resources, who would be taken away from their usual tasks and it would “unreasonably interfere with the activities of the organization.” What “unreasonably interfere” means is unclear. In this case, the timeline can be extended for a second thirty days.

The second circumstance is if the organization needs more time to carry out consultations necessary to respond to the request. For example, some of the information may have been generated in litigation or in contemplation of litigation, and the organization needs to determine if the privilege exception applies and to decide whether to waive it. In this case as well, the timeline can be extended for a second thirty days.

The third scenario is more open ended and allows time to convert the personal information into an alternative format. This may be to accommodate a disability.

Deemed refusal

Subsection (5) of Section 8 says that if the organization fails to respond to an access request within the timelines imposed by the Act, that is a deemed refusal and the individual thus has the right to complain to the Privacy Commissioner.

Costs for responding

You’ll recall that the principles say that access requests have to be “at minimal or no cost to the individual.”

Subsection (6) of Section 8 says that you can only charge the individual if they are advised of the approximate cost and the individual then tells the organization that the request is not being withdrawn.

Notably, there is no other guidance on costs or whether the cost has to be reasonable. That’s likely implied.

Reasons for refusals

If the organization refuses an individual’s request – and I’ll get into the exceptions that can justify a refusal shortly – this refusal has to be in writing. It has to tell them the reasons for the refusal and to tell them they have the right to complain to the Privacy Commissioner.

It also says that the organization essentially must preserve and retain the information at issue for as long as is necessary to allow the individual to exhaust any recourse that they may have.

That makes sense. If it was an unjustified refusal, and the end result is a recommendation from the Commissioner or an order from the court to hand it over, that would be thwarted if the information were deleted in the meantime.

Mandatory refusals

The Act contains a number of circumstances where access either can be refused or where it must be refused.

In subsection (1) of section 9, it says that you have to refuse to provide access if doing so would disclose personal information of a third party. If that personal information can be severed from the disclosure, then you must do the severing and provide the balance of the information. If the third party consents, then access can be granted.

Interestingly, subsection (2) allows giving access even if it would disclose third party personal information if the “individual needs the information because an individual’s life, health or security is threatened.”

Notably, it is not just if the applicant’s life health or security is threatened

That is a real outlier of a scenario and if you encounter that, get immediate advice from an experienced privacy lawyer.

A second scenario where access must be refused is if the personal information that is the subject of the access request has previously been requested by law enforcement, national security or other government agencies. If this is the case: get immediate advice from an experienced privacy lawyer.

The Act sets out a whole routine of consulting with the government agency, seeking their input or direction. If they say don’t disclose it, you can’t disclose it. And you probably can’t tell the individual why and you also have to give notice to the Privacy Commissioner.

The legislators have created a real minefield for organizations if this comes up, so proceed with caution and with good advice.

Discretionary refusals

Subsection (3) of Section 9 sets out a number of circumstances where an organization can choose to refuse access. It doesn’t have to provide it, but it can.

The first is if the information is protected by legal advice or litigation privilege. This comes up a lot because individuals often use the access right under PIPEDA as a pre-litigation discovery tool. If there’s any doubt about whether information fits in this category, seek advice. And of course be aware that this would amount to a waiver of privilege.

The second is if providing access would reveal confidential commercial information, but if that information can be severed, it has to be and the balance of the information must be provided.

The third is if disclosing the information could reasonably be expected to threaten the life or security of another individual. As with confidential commercial information, if that information can be severed, it has to be and the balance of the information must be provided.

The fourth is if the information was collected under paragraph 7(1)(b), which is if it was collected without the knowledge or consent of the individual in connection with an investigation related to a breach of an agreement or a contravention of the laws of Canada or a province. If you refuse on this basis, you have to notify the Privacy Commissioner and include in the notice to the individual whatever information that the Commissioner may specify.

The fifth is if the information was generated in the course of a formal dispute resolution process. This would be in addition to litigation privilege, referred to in paragraph (a).

The sixth scenario where access can be refused is if the information relates to an investigation under the Public Servants Disclosure Protection Act. This rarely arises.

Conclusion

At the end of the day, Canadians are generally not frequent users of the individual access right that they have in the Personal Information Protection and Electronic Documents Act.

But businesses need to understand that this right exists and should have processes and procedures to manage it. Hopefully this has provided information on the general rules that apply to this, and the exceptions to the general right of access.

Thank you very much for tuning in. If you have any comments on this video or any suggestions for topics you’d like to see covered in the future, please leave them in the comments below.

If you find this sort of content to be interesting or informative, please subscribe. If you also click the bell, you’ll be notified of new videos as they are posted.