Monday, August 15, 2022

Can someone legitimately try to stop you from taking photos or recording video in a public place? There are some laws to know about, but the answer for Canada is that you generally have the right to take photos or record video in a public place, and nobody can lawfully stop you from doing so.

How it came up

This past week on Twitter, I saw a couple of discussions about people taking photos in public places, either being called out about it online or being told in person to cut it out.

In the first example, Canadian journalist James MacLeod took it upon himself to get a radar speed gun and document people speeding through a park. He’d take photos of drivers and their speed, and post them on Twitter. One twitter user said doing so seemed “suspect”.

In the second example, a person in Toronto tweeted that he’d been told by a security guard to not take photos of a shipping container put in a public street, blocking a cycling lane. As I replied, “there is no legal basis upon which a security guard can require an individual private citizen to stop taking photos or video in a public place.”

I’ve previously done a video about recording the police in public (link below), but figured it was time to do a more general video about photography and videography in public.

Here’s the general rule: you can take photos in a public place or record video on public property without any legal consequences. That doesn’t always mean you should, but you generally can. You can also photograph or record any place or thing that is visible from a public place, which would include private property as long as you yourself are not trespassing.

There is nothing in our criminal law that makes it illegal to take photos or video in a public place. Other general laws are going to apply. You can’t be a nuisance, and you can’t damage property and you can’t obstruct the police when they are carrying out their duties. You can’t block traffic to get the perfect shot. Short of that, you can generally stand in a public place and take photos of everything and everyone you see.

In fact, you have a Charter right to take photos or record video. The right to freedom of expression protected in section 2(b) of the Charter also protects your right to collect information. Photography and videography are inherently expressive activities and are thus Charter-protected. Any limitation in law on that right would have to be justified under s. 1 of the Charter and any sort of blanket “no photography in public” law would not be justifiable.

Exceptions – voyeurism

That said, there is a crime of voyeurism that has a few nuances and can apply in public or quasi-public places. It was added to the Criminal Code relatively recently.

It involves surreptitiously observing or recording a person where there is a reasonable expectation of privacy. It has to be surreptitious and there has to be a reasonable expectation of privacy.

Paragraph (a) makes it an offence to observe or record in a place in which a person can reasonably be expected to be nude … or to be engaged in explicit sexual activity.

Paragraph (b) makes it an offence where the recording or observing is done for the purpose of observing or recording a person in such a state or engaged in such an activity.

Paragraph (c) covers a broader range of observation or recording, but where it is done for a sexual purpose.

People should be aware that the courts have held you can have a reasonable expectation of privacy in a relatively public place and that the expectation of privacy can vary according to the method of observation. For example, you may not have much of an expectation of privacy with regard to being observed by someone at eye level, but you may have a protected expectation of privacy from being observed or recorded up a person’s dress or from above to look down their top.

One of the leading cases on this is called Jarvis.

The accused was a teacher at a high school. He used a camera concealed inside a pen to make surreptitious video recordings of female students while they were engaged in ordinary school-related activities in common areas of the school. Most of the videos focused on the faces, upper bodies and breasts of female students. The students were not aware that they were being recorded. Of course, they did not consent to the recordings. A school board policy in effect at the relevant time prohibited the type of conduct engaged in by the accused. There were other official surveillance cameras in the school hallways.

The court said:

“Given ordinary expectations regarding video surveillance in places such as schools, the students would have reasonably expected that they would be captured incidentally by security cameras in various locations at the school and that this footage of them could be viewed or reviewed by authorized persons for purposes related to safety and the protection of property. It does not follow from this that they would have reasonably expected that they would also be recorded at close range with a hidden camera, let alone by a teacher for the teacher’s purely private purposes (an issue to which I will return later in these reasons). In part due to the technology used to make them, the videos made by Mr. Jarvis are far more intrusive than casual observation, security camera surveillance or other types of observation or recording that would reasonably be expected by people in most public places, and in particular, by students in a school environment.”

So while the students should have expected to be incidentally observed by the school’s cameras, that did not ultimately affect their expectation of privacy where a teacher with a hidden camera was concerned. He was convicted of voyeurism.

Another key element in the voyeurism offence is that it has to be surreptitious. In Jarvis, the camera was disguised in a pen. There is a case from Ontario called R. v. Lebenfish, 2014 ONCJ 130, in which a person was changed with voyeurism after he was observed taking photos, mainly of women, at a nude beach in Toronto. He was acquitted because he did not make any effort to hide what he was doing. The court also found that the other beach-goers did not have a reasonable expectation of privacy. The court did note that he wasn’t using a long zoom lens or other form of photographic enhancement.

Sneakily taking photos up dresses can be the offence of voyeurism, but standing on a sidewalk obviously taking a photo of someone else would not be.

In Lebenfish, the accused was also charged with mischief. Specifically, it was alleged he committed mischief “by willfully interfering with the lawful enjoyment without legal justification of property,” namely, the beach.

The court found that he did not interfere with the lawful enjoyment of the beach, but also noted that the answer may have been different if there were signs posted saying no photography or if there had been a municipal by-law prohibiting photography at the beach. If photography was prohibited, then part of the enjoyment of the beach would be that it was camera free.

One thing that is worth nothing is that the law doesn’t offer any special protection for children. A while ago, the police here in Halifax were looking for someone who was reported to have been taking photos of kids at a public park. That was followed by a lot of people saying that it is plainly illegal to take photos of other people’s children at a park. That’s not the case. It is certainly creepy and concerning, but likely not illegal in and of itself.

Privacy laws

What about other kinds of laws? We have privacy laws to think about. The ones I deal with most often regulate what businesses can do. An individual taking photos for personal purposes is not a business.

And just to be clear, they have carve-outs for personal use and artistic use. Here’s what PIPEDA says:

(2) This Part does not apply to

(b) any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

(c) any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

The other provincial general privacy laws have similar exclusions.

Privacy torts

So what about the risk of being sued for damages for invasion of privacy. That’s not likely either.

In most common law provinces, you can sue or be sued for “intrusion upon seclusion”.

It is, in summary “an intentional or reckless intrusion, without lawful justification, into the plaintiff's private affairs or concerns that would be highly offensive to a reasonable person.”

If you poke into someone’s private life in a way that would be highly offensive, harm and damages are presumed.

You can also be sued for public disclosure of private facts, which also has to engage someone’s private life and be highly offensive to a reasonable person.

It is hard to see how taking photographs or video in a public place would engage someone’s private and intimate life, and be highly offensive to a reasonable person. It could be engaged if one were stalking someone, though.

Statutory torts

Some provinces have what are called statutory torts of invasion of privacy.

Here is the gist of the British Columbia Privacy Act.

1(1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

Note the violation has to be without a claim of right or legitimate justification.

It then goes on and says …

(2) The nature and degree of privacy to which a person is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, giving due regard to the lawful interests of others.

(3) In determining whether the act or conduct of a person is a violation of another's privacy, regard must be given to the nature, incidence and occasion of the act or conduct and to any domestic or other relationship between the parties.

Note it specifically refers to eavesdropping and surveillance in subsection (4), which reads:

(4) Without limiting subsections (1) to (3), privacy may be violated by eavesdropping or surveillance, whether or not accomplished by trespass.

Again, it is hard to see how obviously taking photographs or video in a public place would engage this tort, but it could be engaged if one were stalking someone.

Private property but public places

Regularly, we go to places where the public is generally invited, but it is private property. This can also include what we often think of as being “public property”, but it is owned by someone else. Think of a park, which is owned by a municipality. People or organisations that own property can put conditions on entry to that property. One of those conditions may be “no photography”. And if you exceed or violate the conditions of your invitation, you could then be trespassing. The property owner would be within their rights to ask you to leave under provincial trespassing statutes. In some provinces, it may be a provincial summary offence. But the owner or occupier of the property would have to put you on notice that photography is prohibited on the premises.

Requests to delete photos

Finally, I’m sometimes asked if you can be required to delete photos taken. The answer is a resounding no. No private individual can take your phone and nobody can require you to delete any photos.

Monday, August 08, 2022

Video: OPC Finding: Spam messages sent by COVID testing contractor

The Privacy Commissioner of Canada just released a report of findings about a company contracted by the Airport of Montreal to do on-arrival covid testing. The company added the people tested to their mailing list and sent them unsolicited commercial electronic messages. The investigation was done jointly with the Information Commissioner of Quebec. The finding raises more questions than it answers.

The complainant in this case arrived at Montreal’s Trudeau International Airport. To comply with the Public Health Agency of Canada’s rules, the individual had to undergo on-arrival COVID testing. Conveniently, the Airport had contracted with a company called Biron Health Group to COVID testing directly at the airport. So the complainant went to the Biron site, provided them with his contact information, had this test done, it was negative and they emailed him the results.

A few days after receiving his test results, the complainant received an email from Biron promoting its other services. The complainant unsubscribed using the link in the email, and never received any further unwanted emails from them. The OPC said “he was shocked to receive such an email” and filed a complaint with the OPC.

The information and privacy commissioner of Quebec also investigated, but does not appear to have released a decision on the case. Instead, they just referred to the OPC’s finding.

During the course of the investigation, the company said it had “implied consent” under Canada’s Anti-Spam Law to send commercial electronic messages and was justified in doing so.

The OPC said there was no implied consent under PIPEDA, however. Here’s what they said specifically:

“The OPC is of the opinion that Biron could not reasonably assume that it had the implicit consent of travellers arriving in Canada. Biron was mandated by the government to conduct COVID-19 testing on travellers and paid by the Montreal Trudeau Airport. Biron was the only company offering this service at this airport. Consequently, travellers arriving in Canada had no choice but to do business with Biron to comply with the rules issued by the Public Health Agency. In this situation, these travellers would not normally expect their personal information to be used for reasons other than the mandatory testing.

Biron collected the travellers’ personal information for the purpose of conducting COVID-19 tests and sending them sensitive information related to their health, notably their test results. Biron was acting as a service provider for the airport. The OPC considers that Biron should have taken these circumstances into account before using the personal information for secondary marketing purposes and for its own purposes.”

Because Biron said they’d stop doing this, the OPC closed the file as “settled during the course of the investigation”. Case closed.

So why is this unsatisfying? There are a couple of key questions in the background, of interest to privacy practitioners, that are unaddressed and thus unanswered.

The first question is what law should actually apply to Biron in this case? The Privacy Commissioner refers to PIPEDA, our federal commercial privacy law. But we have a mess of privacy laws in Canada, more than a few of which could have been applicable.

Quebec has a provincial privacy law that applies to all businesses in that province, unless they are “federal works, undertakings or businesses”. Notably, international airports and airlines are “federal works, undertakings or businesses.”

There really is no doubt that if the testing facility had been off the airport property and operating on its own, the federal privacy Law could not have applied at all and instead the Quebec private sector privacy law would have been applicable. That means the federal Commissioner would have had no jurisdiction to investigate and it would have been entirely up to the Quebec Commissioner to do so.

So does that mean that simply being on or operating from airport property makes you a “federal work, undertaking or business”? I don't think that can really be the case.

Was it because the service they were providing is connected to international travel that places them within Federal jurisdiction? That seems dubious to me.

Were they within Federal jurisdiction because they had been engaged by the airport authority to provide this service? The airport authority is certainly a “federal work, undertaking or business”, but does that mean all of its contractors become “federal works, undertakings or businesses”? Again, I don't think that can really be the case. Would a taxi company given a concession to serve the airport automatically come under federal jurisdiction?

They were performing a function that was required by the Public Health Agency of Canada, but PHAC is subject to the federal Privacy Act, which never came up in the commissioner's report of findings.

This would be more tricky in a province like Alberta, where there is a provincial general privacy law that excludes PIPEDA and a health privacy law that does not. (Quebec doesn’t have a health-specific privacy law.)

Now, it may well be that both the federal and the Quebec Commissioners thought they didn't even have to consider jurisdiction because they got the result they were looking for during the course of the investigation: the company said they would change their practices and what might have been problematic under either the Quebec or the federal law has ceased. This seems likely to me, as in my experience the federal Privacy Commissioner's office we'll bend over backwards to avoid making any statements related to their jurisdiction that could come back to haunt them later.

This is not just a privacy nerd question, because other things turn on whether a company is a “federal work, undertaking or business”. If Biron is in that category, then provincial labour and employment laws don’t apply to that workplace. Instead, the Canada Labour Code applies. Other federal laws would also suddenly apply to them, not just our privacy law. If I was this company, I’d be left scratching my head.

The second element of this that is problematic is the interaction between our privacy laws and Canada's anti-spam law, also known as CASL. You will recall that the company said that they were justified in sending commercial electronic messages because they had an “existing business relationship” with the people who underwent testing. The Privacy Commissioner really did not address that, but instead focused on the Personal Information Protection and Electronic Documents Act which requires consent for all collection, use and disclosure of personal information. That consent can be implied, particularly where it would be reasonable for the individual to expect that their information will be used for a particular purpose in light of the overall transaction. The Commissioner found that individuals would not expect to have their personal information used for the secondary purpose and therefore there was no implied consent under PIPEDA.

But that is contrary to the express scheme of Canada's anti-spam law. Under CASL, an organization can only send a commercial electronic message to a recipient where it has consent to do so. That consent either must be express or implied. Implied consent under CASL is very different from implied consent under PIPEDA. CASL doesn't care about what the consumer's expectation might be. Consent can be implied where there is an existing business relationship. One of the possible existing business relationships is the purchase of goods or services from the organization in the previous two years. Presumably, buying a COVID test from a vendor would meet that threshold and there would be implied consent for sending commercial electronic messages. I do agree with the federal Privacy Commissioner that doing so because you are ordered to by the Public Health Agency of Canada would really be contrary to the individual's expectation.

But this really does highlight some of the absurd dissonance between our anti-spam law and our privacy law. Both use the term “implied consent”, but it means radically different things. From this finding from the federal Commissioner, it appears that he is of the view that implied consent under CASL does not lead to deemed implied consent under PIPEDA. CASL expressly permits it, but PIPEDA does not.

When it comes to consent for sending commercial electronic messages, one would think that the piece of legislation that was expressly written and passed by Parliament for that purpose would be the final say, but the OPC certainly does not seem to be of that view.

The Privacy Commissioner carried out this investigation along with the Quebec commissioner, but there is no mention of whether the CRTC, which is the regulator under CASL, was involved.

At the end of the day, I think an existing business relationship was created between the complainant and the company so that there would have been implied consent to send commercial electronic messages, regardless of whether the consumer would have expected it to do so. The Commissioner did highlight that the individual had to be tested under the rules for the Public Health Agency of Canada, leaving room to argue that had the individual gone to the company for a test for other purposes, that might have been a more direct commercial relationship between the parties.

As my friend and tech law colleague Jade Buchanan pointed out on Twitter, “CASL is completely unnecessary when PIPEDA will apply to the use of personal information (name email, etc.) to send commercial electronic messages.” Personally, I think that one of the reasons why we have CASL is because PIPEDA was seldom enforced by the OPC against spammers when clear jurisdiction to do so existed for more than a decade before CASL was created.

And there’s nothing in the pending Consumer Privacy Protection Act that would address this dissonance between our privacy and spam law.

So that is the finding, and we're left scratching our heads a bit or at least have unanswered questions about important matters of jurisdiction and the intersection between our privacy laws and our spam laws.