Appeal court reverses Facebook’s Canadian privacy win

Privacy Commissioner of Canada Loses in Federal Court against Facebook

Just this past week, the Office of the Privacy Commissioner of Canada was on the receiving end of a Federal Court decision that I would characterize as more than a little embarrassing for the Commissioner.

In a nutshell, the Commissioner took Facebook to court over the Cambridge Analytica incident and lost, big time.

You may recall from 2019, when the Privacy Commissioner of Canada and the Information and Privacy Commissioner of British Columbia released, with as much fanfare as possible, the result of their joint investigation into Facebook related to the Cambridge Analytica incident.

Both of the Commissioners concluded, at that time, that Facebook had violated the federal and British Columbia privacy laws, principally related to transparency and consent.

Because Facebook was not prepared to accept that finding, the Privacy Commissioner of Canada commenced an application in the Federal Court to have the Court make the same determination and issue a whole range of orders against the social media company.

The hearing of that application took place a short time ago and a decision was just released from the federal court this past week. It concluded that the Privacy Commissioner did not prove that Facebook violated our federal privacy law in connection with the Cambridge Analytica incident and made a few other interesting findings and observations. 

Just a little bit of additional procedural information: under our current privacy law, the Privacy Commissioner of Canada does not have the ability to issue any orders or to levy any penalties. What can happen after the Commissioner has released his report of findings  is that the complainant, or the Commissioner with the complaint’s okay, can commence an application in the federal court of Canada. This is what is called a de novo proceeding. 

The finding from the privacy commissioner below can be considered as part of the record, but it is not a decision being appealed from. Instead, the applicant, in this case, the Privacy Commissioner, has the burden of proving to a legal standard that the respondent has violated the federal privacy legislation.

This has to be done with actual evidence, which is where the privacy commissioner fell significantly short in the Facebook case.

It has to be remembered that the events being investigated took place almost 10 years ago, and the Facebook platform is substantially different now compared to what it looked like. Then, if you were a Facebook user from that time, you probably remember a whole bunch of apps running on the Facebook platform. You probably were annoyed by friends who were playing Farmville and sending you invitations and updates. Well, these don't exist anymore. Facebook largely is no longer a platform on which third party apps will run.

In a nutshell, at the time, one of the app developers that used the Facebook platform was a researcher associated with a company called Cambridge Analytica. They had an app running on the platform called “this is your digital life”. It operated for some time in violation of Facebook's terms of use for app developers, hoovering up significant amounts of personal information and then selling and/or using that information for, among other things, profiling and advertising targeting. Here’s how the court described it:

[36] In November 2013, Cambridge professor Dr. Aleksandr Kogan launched an app on the Facebook Platform, the TYDL App. The TYDL App was presented to users as a sort of personality quiz. Prior to launching the TYDL App, Dr. Kogan agreed to Facebook’s Platform Policy and Terms of Service. Through Platform, Dr. Kogan could access the Facebook profile information of every user who installed the TYDL App and agreed to its privacy policy. This included access to information about installing users’ Facebook friends. ...

[38] Media reports in December 2015 revealed that Dr. Kogan (and his firm, Global Science Research Ltd) had sold Facebook user information to Cambridge Analytica and a related entity, SCL Elections Ltd. The reporting claimed that Facebook user data had been used to help SCL’s clients target political messaging to potential voters in the then upcoming US presidential election primaries.

One thing to note is that in 2008-2009, the OPC investigated Facebook and the Granular Data Permissions model that it was employing on their platform. Facebook said that the OPC sanctioned and expressly approved its GDP process after testing it after the conclusion of that investigation. They argued that the Commissioner should not be able to now say that a model it approved is inadequate. The Court didn’t have to go there. 

In this application, the Privacy Commissioner alleged that Facebook failed to get adequate consent from users who used apps on Facebook’s platform, and failed to safeguard personal information that was disclosed to third party app developers. The Commissioner failed on both, but for different reasons. 

In the court process, both the Commissioner and Facebook had the opportunity to put their best evidence and best arguments forward. Facebook was able to talk about their policies, their practices with respect to third party developers, and the sorts of educational material that they provided as part of their privacy program. 

Ultimately, the court concluded that the Commissioner had failed to put forward strong evidence to lead to the conclusion that Facebook had not obtained adequate user consent for the collection, use and disclosure of their personal information when using the app in question, or apps more generally.

It’s interesting to me that the Court notes that the Commissioner did not provide any evidence of what Facebook could have done better, in their view, nor did it offer any expert evidence about what would have been reasonable to do in the circumstances. This is from paragraph 71 of the decision:

[71] In assessing these competing characterizations, aside from evidence consisting of photographs of the relevant webpages from Facebook’s affiant, the Court finds itself in an evidentiary vacuum. There is no expert evidence as to what Facebook could feasibly do differently, nor is there any subjective evidence from Facebook users about their expectations of privacy or evidence that any user did not appreciate the privacy issues at stake when using  Facebook. While such evidence may not be strictly necessary, it would have certainly enabled the Court to better assess the reasonableness of meaningful consent in an area where the standard for reasonableness and user expectations may be especially context dependent and are ever evolving.

The Court also seems to be saying that the Commissioner was trying to suck and blow at the same time:

[67] Overall, the Commissioner characterizes Facebook’s privacy measures as opaque and full of deliberate obfuscations, creating an “illusion of control”, containing reassuring statements of Facebook’s commitments to privacy and pictures of padlocks and studious dinosaurs that communicate a false sense of security to users navigating the relevant policies and educational material. On one hand, the Commissioner criticizes Facebook’s resources for being overly complex and full of legalize, rendering those resources as being unreasonable in providing meaningful consent, yet in some instances, the Commissioner criticizes the resources for being overly simplistic and not saying enough. 

The judge then found that Facebook was essentially asking the court to make a whole bunch of negative inferences in the absence of evidence, which they did not appear to try to obtain. Here’s the court at paragraph 72 of the decision: 

[72] Nor has the Commissioner used the broad powers under section 12.1 of PIPEDA to compel evidence from Facebook. Counsel for the Commissioner explained that they did not use the section 12.1 powers because Facebook would not have complied or would have had nothing to offer. That may be; however, ultimately it is the Commissioner’s burden to establish a breach of PIPEDA on the basis of evidence, not speculation and inferences derived from a paucity of material facts. If Facebook were to refuse disclosure contrary to what is required under PIPEDA, it would have been open to the Commissioner to contest that refusal.

The judge then goes on to say at paragraph 77:

[77] In the absence of evidence, the Commissioner’s submissions are replete with requests for the Court to draw “inferences”, many of which are unsupported in law or by the record. For instance, the Court was asked to draw an adverse inference from an uncontested claim of privilege over certain documents by Facebook’s affiant. 

I think there are a couple very important things to note here. The first is that the Privacy Commissioner’s report of findings, which was released with great fanfare and which concluded that Facebook had violated Canada's federal privacy laws, was essentially based on inadequate evidence. The court found it sadly lacking – not enough to convince the Court that it was more likely than not – but apparently this evidentiary record was entirely satisfactory for the purposes of the Commissioner’s investigation and report of findings.

The second thing to note here is that the court application was essentially the privacy commissioner's second kick at the can. More evidence could have been obtained for this hearing had they actually exercised their authorities under the legislation or under the rules of court. If they did that, they came to court with an inadequate evidentiary record.

The second main violation that was alleged by the Privacy Commissioner was that Facebook had failed to adequately safeguard user information that was disclosed to third party app developers. Essentially, the Privacy Commissioner's argument is that Facebook continues to have an obligation to safeguard all of the information even after a user has chosen to disclose that information to a third party app developer. Facebook took the view that the safeguarding obligation transferred to the app developer when the user initiated the disclosure to that app developer. 

This is consistent with the scheme of the Act, in my view, because the responsibility to safeguard information and to limit its use falls on the organization that actually controls that information. Once it is given to an app developer for this purpose, it is under the control of that app developer and the obligation to safeguard it would rest with them.

The Court summarized the Commissioner’s argument on this point in paragraph 85:

[85] The Commissioner counters that Facebook maintains control over the information disclosed to third-party applications because it holds a contractual right to request information from apps. The Commissioner maintains that Facebook’s safeguards were inadequate.

[86] I agree with Facebook; its safeguarding obligations end once information is disclosed to third-party applications. The Court of Appeal in Englander observed that the safeguarding principle imposed obligations on organizations with respect to their “internal handling” of information once in their “possession” (para 41). 

Very importantly here, though, is the statement from the court that companies can expect good faith and honesty in contractual agreements:

[91] In any event, even if the safeguarding obligations do apply to Facebook after it has disclosed information to third-party applications, there is insufficient evidence to conclude whether Facebook’s contractual agreements and enforcement policies constitute adequate safeguards. Commercial parties reasonably expect honesty and good faith in contractual dealings. For the same reasons as those with respect to meaningful consent, the Commissioner has failed to discharge their burden to show that it was inadequate for Facebook to rely on good faith and honest execution of its contractual agreements with third-party app developers.

This is the conclusion that the court reached. So, in the result, the court did not conclude that Facebook had violated PIPEDA in any way in association with the Cambridge analytica incident.

Another important observation, in my view, is that the Privacy commissioner of Canada did not actually investigate Cambridge Analytica itself, but focused all of its regulatory attention at Facebook. It is common ground that Cambridge Analytica and its principal violated Facebook's policies and developer agreements in taking user data off the platform and using it for secondary, unauthorized purposes. But they did not investigate Cambridge Analytica. They went after Facebook.

So what are the takeaways from this?

I think certain folks at the Office of the Privacy Commissioner should take an opportunity to think deeply about their approach to this entire thing. They should not be issuing flashy press releases and lobbing accusations in the way that they did without evidence that could support the allegations in a court of law. 

I also think we need to think carefully about what this says for privacy law reform in Canada. The Commissioner at the time used his finding as an example of why he should be given order making powers and the powers to impose penalties. They even issued a handy-dandy table in which it concluded:

Because “Facebook disputed the validity of the findings and refused to implement the recommendations,” this should lead to the result that:

“The Office of the Privacy Commissioner of Canada’s interpretation of the law should be binding on organizations. 

To ensure effective enforcement, the Commissioner should be empowered to make orders and impose fines for non-compliance with the law.”

Almost certainly, if he’d had those powers, he would have imposed orders and fines on Facebook, based on what the Court concluded was inadequate evidence. The Court even disagreed with the Commissioner’s interpretation of the law. 

If we are going to have fines and orders under PIPEDA’s replacement, which seems inevitable, the OPC should NOT be in a position to impose them. The OPC should be the prosecutor, recommending any such fines or orders to a tribunal that will not show any deference to the Commissioner. 

And finally, this offers some certainty that once information has been disclosed to a third party, it is the third party’s legal obligation to safeguard it. The OPC clearly thought that the obligation remained with the company where it originated, but that view was not shared with the court.

After the OPC filed its application in court, Facebook filed a judicial review application to have the whole thing thrown out. Facebook was not successful on that, mainly because they filed late and were not entitled to an extension. Regardless, there are some very interesting things in that decision, which I’ll discuss in an upcoming episode.

Federal Court of Appeal: Past privacy consent does not prevent new means of handling and distributing personal information

The Federal Court of Appeal released its long-awaited decision in Toronto Real Estate Board v Commissioner of Competition on Friday, December 1, 2017. The decision is a statutory appeal and is the latest chapter in a very long saga in which the Competition Bureau has accused Canada's largest real estate board of acting in an anti-competitive manner to prevent new forms of competition in the real estate market.

The Canada Real Estate Board (CREA), and its members such as the Toronto Real Estate Board (TREB) own and operate the Canadian Multiple Listing Service (which is the backbone of realtor.ca). A lot of information about current properties on the market is available on the site and realtors have access to a much wider range of information, including historical sales and listing information that is essential to carrying out market analyses for buyers and sellers.

The main issue is that TREB has not permitted innovative forms of real estate sales, such as online, using this much richer information. And privacy was one of the reasons TREB pointed to in order to justify its practices:

[2] TREB maintains a database of information on current and previously available property listings in the GTA. TREB makes some of this information available to its members via an electronic data feed, which its members can then use to populate their websites. However, some data available in the database is not distributed via the data feed, and can only be viewed and distributed through more traditional channels. The Commissioner of Competition says this disadvantages innovative brokers who would prefer to establish virtual offices, resulting in a substantial prevention or lessening of competition in violation of subsection 79(1) of the Competition Act, R.S.C. 1985, c. C-34 (Competition Act). TREB says that the restrictions do not have the effect of substantially preventing or lessening competition. Furthermore, TREB claims the restrictions are due to privacy concerns and that its brokers’ clients have not consented to such disclosure of their information. TREB also claims a copyright interest in the database it has compiled, and that under subsection 79(5) of the Competition Act, the assertion of an intellectual property right cannot be an anti-competitive act.

Focusing on the privacy argument, TREB essentially argued that people who consented to having their information made available when they hired a realtor, really only consented to having it made available through traditional channels and not published online. The Tribunal below was of the view that TREB's privacy arguments were pretty flimsy and one gets the sense that it was really a pretext to justify their way of doing things.

[131] In considering privacy as a business justification under paragraph 79(1)(b), the Tribunal found that the “principal motivation in implementing the VOW Restrictions was to insulate its members from the disruptive competition that [motivated] Internet-based brokerages”. It concluded that there was little evidentiary support for the contention that the restrictions were motivated by privacy concerns of TREB’s clients. The Tribunal also found scant evidence that, in the development of the VOW Policy, the VOW committee had considered, been motivated by, or acted upon privacy considerations (TR at para. 321). The privacy concerns were “an afterthought and continue to be a pretext for TREB’s adoption and maintenance of the VOW Restrictions” (TR at para. 390).

TREB argued that nobody consented to having this information disseminated via the internet or "virtual office websites" (VOWs), so new consent would be required to do so. Absent new consent, this information cannot be disseminated online:

[160] While the Listing Agreement used by TREB provides consent to some uses of personal information, TREB asserts that had the Tribunal examined it more closely, it would have found that the Listing Agreement did not provide sufficiently specific wording to permit disclosure of personal information in the VOW data feed. Specifically, TREB contends that the consents do not permit the distribution of the data over the internet, and that is qualitatively different from the distribution of the same information by person, fax, or email.

The Commissioner argued that consent for PIPEDA purposes is to the "purposes" proposed for the collection, use and disclosure of personal information, and not the means by which it would be disseminated. The Court of Appeal agreed:

[164] The wording in the Listing Agreements from 2003 onwards is substantially similar to that quoted above. However, the phrase “during the term of the listing and thereafter” (underlined above), first appears in 2012. The Use and Distribution of Information clause in the Listing Agreement is broad and unrestricted. Sellers are informed that their data could be used for several purposes: for distribution in the database to market their house; to compile, retain, and publish statistics; for use as part of comparative market analysis; and any other use in connection with the listing, marketing, and selling of real estate. Nothing in the text implies the data would only be used during the time the listing is active. Indeed, the use of data for historical statistics of selling prices necessitates that the data will be kept. The Tribunal noted that TREB’s policies 102 and 103 add that, apart from inaccurate data, “[n]o other changes will be made in the historical data” (TR at para. 401). We note as well that clause 11 of the Listing Agreement allows for the property to be marketed “using any medium, including the internet”.

[165] PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet in the manner targeted by the VOW Policy−does not accord with the unequivocal language of the consent.

Why is this important? Because it is clear that though technology may shift and putting services online may change the extent of the distribution of information and the possible uses of the information by someone who accesses it, the key to obtaining consent is to clearly articulate the purposes of the collection. The stated purposes are what dictate how the information can be used, but do not dictate the means of dissemination.

Privacy and the use of census information for population health research

Professor Teresa Scassa has a very interesting comment on her blog about a recent case from the Federal Court of Canada, O’Grady v. Canada (Attorney General), 2017 FC 167. Her comment is here: Recent Federal Court Decision Examines Privacy and the Census.

The case itself is a judicial review of a decision of the Chief of Statistics to enter into an agreement with McGill University’s Faculty of Medicine to conduct a study examining perinatal outcomes in Canada. This sort of research collaboration and data matching happens all the time, but seldom is it objected-to and the discussions do not often end up in front of the courts.

The context, from the decision:

[3] In 2011, Statistics Canada and McGill entered into a Letter of Agreement to conduct a study that would assess infant mortality and newborn health by examining perinatal outcomes in Canada according to risk factors related to socioeconomic position, ethno-cultural background, and environmental exposure [Study]. In connection with the Study, record linkages were used to link information from the national birth record database and the 1996 and 2006 censuses. In order to minimize the privacy intrusion, the record linkages were performed in accordance with s 6 of the Statistics Act, RSC 1985, c S-19 [Statistics Act] by Statistics Canada employees, or deemed employees, and the composite records were stripped of direct personal identifiers before they were made accessible to McGill. The composite records were also restricted to Statistics Canada’s premises. Additionally, the usage of the record linkages was publicly posted on the Statistics Canada website.

The applicant complained to the Privacy Commissioner of Canada, who concluded that the applicant's personal information had not been improperly used.

[7] The Privacy Commissioner agreed that the Applicant’s census information met the definition of personal information, as defined by s 3 of the Statistics Act. Additionally, the Privacy Commissioner found that usage of census information in the Study was beyond the scope of the purposes for which it was collected, which is prohibited under s 7 of the Statistics Act. However, there was no evidence to suggest that the Applicant’s information had actually been used in the Study as her information had been excluded. Furthermore, even if the Applicant’s information had been used, Statistics Canada had the authority to do so under the Statistics Act. Consequently, the Privacy Commissioner found that the Applicant’s complaint was not well-founded.

The Court, in reviewing the decision by the Chief of Statistics, found that it was lawful as the use of the census data in this manner is consistent with the purpose for which it was originally collected.

[68] There is no doubt that census information is personal information, so the issue in this case is whether it was used “for a use consistent” with the “purpose for which it was obtained or complied….”

[69] The Supreme Court of Canada set out the “consistent use” test in Bernard, above:

[31] A use need not be identical to the purpose for which information was obtained in order to fall under s. 8(2) (a) of the Privacy Act; it must only be consistent with that purpose. As the Federal Court of Appeal held, there need only be a sufficiently direct connection between the purpose and the proposed use, such that an employee would reasonably expect that the information could be used in the manner proposed.

(emphasis in original)

[70] It is clear that Statistics Canada could not have contemplated the Study at the time of either the 1996 census or the 2006 census. Hence, the information collected by those censuses was not obtained specifically for the Study. However, the purpose of the Study is to compile and analyse statistics related to the health and welfare of Canadians, so that it complies with the purpose of the censuses and with Statistics Canada’s mandate.

The application was dismissed, but the Court noted it was premature overall:

[86] The real problem with this application is that it is premature. The Study has not yet been released or used. The Applicant speculates that personal information will be used and disclosed, but has produced no convincing evidence to support that position. Whatever I have said in this application, which is based solely upon the record before me, should not prevent anyone whose personal information is inappropriately used or disclosed from bringing the matter before the Court in the future.

Did the Canadian Federal Court take the first step to a "right to be forgotten" with a global take-down order?

This past week, the Federal Court of Canada released a very interesting decision in A.T. v. Globe24h.com, 2017 FC 114, which seems to be the first step towards a Canadian "right to be forgotten". (You may recall that I generally don't think such a right exists in Canada (You'd better forget the right to be forgotten in Canada). The decision includes an order that purports to tell a non-Canadian what information can be published on the internet globally.

The decision is generally unsatisfying in a number of ways. But first here's the background: The Applicant, identified only as A.T., registered a complaint with the Privacy Commissioner of Canada that a Romanian website was hosting and making available an Alberta Labour Board decision that he did not want to be associated with. An internet search of his name would turn up this decision, hosted by Globe24h. He wanted it taken down. The Office of the Privacy Commissioner of Canada (OPC) had previously investigated a number of complaints against the outfit and issued a finding. Essentially, the OPC had found that the site scraped decisions from Canadian legal, courts and tribunal websites and made them searchable on the internet. Most of these tribunals and courts made these records available online, but restricted them from being indexed and fully searchable. The business model of the site seems to be that they will promptly take down decisions -- presumably those not favourable to individuals -- if the individual paid a processing fee. The OPC had found this was a violation of Canada's Personal Information Protection and Electronic Documents Act.

In the case before the Federal Court, only the complainant and the OPC appeared. As a result, the record is one-sided and there was not a complete, adversarial analysis of all the issues to be considered. Our legal system is premised upon having opposing sides present their best arguments and best evidence before a Court. This decision only includes one side and no interveners who may have helped the court get a more balanced view. It does appear that the Court generally accepted the arguments put forward by the OPC, including hearsay related to the dialogue that OPC had with Globe24h (but which it declined to have with the Court).

The Court relied on, among other authorities, the Equustek v. Google decision from the British Columbia Court of Appeal, which was appealed to the Supreme Court of Canada and for which a decision is pending, to support its ability to issue a mandatory order against an entity with no presence in Canada. This decision may be reversed.

Secondly, because there was nobody to present the other side, there was no discussion about the impact of freedom of expression or the right to information on the case. The Court concluded that because the original case was available online, but not indexed, removing it from Globe24h would not have any real impact. And because the site's purpose was concluded to be mostly mercenary, it could not take advantage of the exclusion given to exclusively journalistic reports. In fact, the Court determined that the website's approach was not "appropriate" for the purposes of s. 5(3) of PIPEDA, which reads:

Appropriate purposes

(3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Here's the judge's reasoning on that point:

[75] I agree with the OPCC that a reasonable person would not consider the respondent to have a bona fide business interest. In making this argument, the Commissioner relies on the Canadian Judicial Council’s (CJC) Model Policy for Access to Court Records in Canada (Model Policy) and the OPCC’s own guidance document to federal administrative tribunals. The CJC Model Policy discourages decisions that are published online to be indexed by search engines as this would prevent information from being available when the purpose of the search is not to find court records. The policy recognizes that a balance must be struck between the open courts principle and increasing online access to court records where the privacy and security of participants in judicial proceedings will be at issue.

[76] The CJC has struck a balance by advising courts to prevent judgments from being discovered unintentionally through search engines. To this end, the CJC has recommended that judgments published online should not be indexed by search engines. The OPCC notes that CanLII and other court and tribunal websites generally follow the CJC’s Model Policy and prevent their decisions from being indexed by search engines through web robot exclusion protocols and other means. Indeed, the Federal Court has taken such measures to prevent our decisions from being indexed. That does not bar anyone from visiting the Federal Court website and conducting a name search. But it does prevent the cases from being listed in a casual web search. The respondent’s actions result in needless exposure of sensitive personal information of participants in the justice system via search engines.

The Court agreed with the OPC's submissions that the "journalism" exception doesn't apply in the case either. In doing so, the Court followed the reasoning of the Alberta Court of Appeal in United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130, which was affirmed on other grounds by the Supreme Court of Canada in 2013 SCC 62.

[67] The respondent has claimed in communications with the OPCC that his purposes in operating Globe24h.com should be considered exclusively journalistic. Should the Court accept that claim, Part 1 of PIPEDA does not apply to his activities because the personal information collected, used or disclosed falls under the exception provided by paragraph 4(2)(c) of PIPEDA.

[68] The “journalistic” purpose exception is not defined in PIPEDA and it has not received substantive treatment in the jurisprudence. The OPCC submits that the Canadian Association of Journalists has suggested that an activity should qualify as journalism only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation ”. Those criteria appear to be a reasonable framework for defining the exception. None of them would apply to what the respondent has done.

[69] The Alberta Court of Appeal interpreted similar statutory language in Alberta’s Personal Information Protection Act, SA 2003, c P-6.5: United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130 (CanLII), [2012] AJ No 427, aff’d 2013 SCC 62 (CanLII), [2013] 3 SCR 733 [United Food]. Specifically, in considering the adjective “journalistic”, the Court of Appeal noted that “it is unreasonable to think that the Legislature intended it to be so wide as to encompass everything within the phrase “freedom of opinion and expression””: United Food, above, at para 56. Further, the Court noted that “[n]ot every piece of information posted on the Internet qualifies [as journalism]”: United Food, above, at para 59.

[70] In my view, the respondent’s claimed purpose “to make law accessible for free on the Internet” on Globe24h.com cannot be considered “journalistic”. In this instance, there is no need to republish the decisions to make them accessible as they are already available on Canadian websites for free. The respondent adds no value to the publication by way of commentary, additional information or analysis. He exploits the content by demanding payment for its removal.

[71] The evidence indicates that the respondent’s primary purpose is to incentivize individuals to pay to have their personal information removed from the website. A secondary purpose, until very recently, was to generate advertising revenue by driving traffic to his website through the increased exposure of personal information in search engines. There is no evidence that the respondent’s intention is to inform the public on matters of public interest.

[72] Even if the respondent’s activities could be considered journalistic in part, the exemption under paragraph 4(2)(c) only applies where the information is collected, used or disclosed exclusively for journalistic purposes. It is clear from the record that Globe24h.com’s purposes extend beyond journalism.

While this case is very interesting and the first in Canada to approach a "right to be forgotten", I would caution against assuming that it is a strong precedent for Canadian law. Unfortunately, it appears all the argument and evidence was one-sided. The case raises some very interesting, very important and nuanced issues. We really would have benefited from a full presentation of all arguable positions, particularly those related to freedom of expression and the appropriateness of global takedown orders.

Here's the final order from the Court:

THIS COURT’S JUDGMENT is that:

1. It is declared that the Respondent, Sebastian Radulescu, contravened the Personal Information Protection and Electronics Documents Act, SC 2000, c 5 by collecting, using and disclosing on his website, www.Globe24h.com (“Globe24h.com”), personal information contained in Canadian court and tribunal decisions for inappropriate purposes and without the consent of the individuals concerned;

2. The Respondent, Sebastian Radulescu, shall remove all Canadian court and tribunal decisions containing personal information from Globe24h.com and take the necessary steps to remove these decisions from search engines caches;

3. The Respondent, Sebastian Radulescu, shall refrain from further copying and republishing Canadian court and tribunal decisions containing personal information in a manner that contravenes the Personal Information and Electronic Documents Act, SC 2000, c 5;

a) The Respondent, Sebastian Radulescu, shall pay the Applicant damages in the amount of $5000;

b) The Applicant is awarded costs in the amount of $300; and

c) The style of cause is amended to substitute the initials “A.T.” for the name of the applicant.

Court of Appeal finds negligence and breach of confidence claims should go forward in privacy class action against the Federal Government

The Federal Court of Appeal in Condon v Canada, 2015 FCA 159 (not yet available on CanLII but here as a Google Drive PDF), has reversed a lower court decision to not certify claims of negligence and breach of confidence in the class action lawsuit that followed the Federal Government's loss of a hard drive containing personal information about 583,000 Canada Student Loan recipients.

The plaintiffs, in Condon v Canada, 2014 FC 250, sought certification under a number of causes of action, including breach of contract, intrusion upon seclusion (invasion of privacy), negligence and breach of confidence. Breach of contract and intrusion upon seclusion do not require damages for an individual to recover, and both of these causes of action were certified. Those that do require damages to succeed, negligence and breach of confidence, were not successful at the certification motion.

The Court of Appeal noted that the proper test for certification is only to review the pleadings and to not inquire into the evidence. Since the plaintiffs had pleaded damages, that should be determinative:

[13] As stated by the Supreme Court, the determination of whether the pleadings disclose a reasonable cause of action is to be based on the assumption that the facts as pleaded are true. This would mean that evidence is not to be submitted at the hearing of the motion. Otherwise, the hearing of the motion could turn into a full hearing on the merits.

[14] In this case, the parties submitted affidavit evidence. In paragraphs 68 and 69 of her reasons the Federal Court Judge noted that:

68 In addition, a summary review of the evidence adduced by both parties leads the Court to the conclusion that the Plaintiffs have not suffered any compensable damages. The Plaintiffs have not been victims of fraud or identity theft, they have spent at most some four hours over the phone seeking status updates from the Minister, they have not availed themselves of any credit monitoring services offered by the credit reporting agencies nor have they availed themselves of the Credit Flag service offered by the Defendant.

69 Nor does the evidence adduced support a claim for increased risk of identity theft in the future. Since the Data Loss, Equifax has produced reports pertaining to the credit files of the 88,548 individuals who availed themselves of the Credit Flag service. These reports show that there had been no increase in the relevant indicia that would be consistent with an increase in criminal activities involving those individuals' Personal Information. The rate of criminal activities registered was not higher than the 3% of the population generally victim of identity theft. Moreover, the Plaintiffs submitted a CBC news article concerning a Class Member who had been a victim of identity theft yet the article noted no proven causal link between the Data Loss and that theft.

[15] It appears that the Federal Court Judge evaluated the evidence in concluding that the Appellants had not suffered any “compensable damages”. The determination of whether the Appellants had a reasonable cause of action in negligence or breach of confidence should have been made based on the facts as pled, not on the evidence adduced in support of the motion.

…

[22] Reading the Consolidated Statement of Claim with this principle in mind, the Appellants have claimed that they have suffered damages and they have identified the nature of the damages that they are claiming. In particular, the Appellants have claimed special damages for “costs incurred in preventing identity theft” and “out-of-pocket expenses” and, as noted above, it is to be assumed that these costs have been incurred. As a result there was no basis to not include the claims for negligence and breach of confidence as part of the class proceeding.

The Federal Court of Appeal has sent the matter back to the trial level for determination, including the claims for negligence and breach of confidence and to determine the common questions in the class proceeding in relation to those claims.

Henry v Bell Mobility: Another Federal Court case shows PIPEDA damages are hardly worth pursuing absent evidence of actual harm

The Federal Court, in the recently issued decision in Henry v Bell Mobility 2014 FC 555 (not yet on CanLII or the Court's site) has awarded a very modest sum of damages to a customer of Bell Mobility whose phone account was accessed by an impostor. At the hearing before the Federal Court, Bell did not contest liability so all the Court had to consider was the appropriate measure of damages. Nevertheless, the facts are relevant: An individual was able to convince a customer service representative employed by the mobile phone company to grant her access to the complainant's account. She was provided with general account information and the last seven numbers dialed. The impostor was also allowed to make changes to the account.

The claimant alleged that he suffered a lost business opportunity as a result of the impostor then contacting an intended business associate of the claimant. However, the claimant did not offer any compelling evidence to support this business opportunity. Instead of the compensatory damages of $35,500.00, punitive damages of $5,000.00, general damages of $5,000.00 and legal costs of $4,000.00, the Court awarded $2,500 in general damages plus $1,000 in costs. The complainant had argued that the Court should follow Chitraker v Bell, but the court was not convinced.

[26] Chitrakar is distinguishable from the current case in that here Bell Mobility has taken responsibility for the breach of Mr. Henry's privacy rights; it has put in place steps to better train CSRs; it has not in any way benefited from the breach; and, has acknowledged that Mr. Henry is entitled to damages in keeping with the jurisprudence of this Court. Bell Mobility argued that damages in the range of $1,500 - $2,000 was more than adequate to compensate Mr. Henry in these circumstances.

[27] Having considered all of the evidence and the jurisprudence and given the circumstances under which the woman cajoled the Bell representative to make the changes to the account and the breadth of the information disclosed it is my view that an award of $2,500.00 is appropriate. Mr. Henry was self-represented at trial although he had counsel on record assisting him earlier in the case. In all of the circumstances, costs in the amount of $1,000.00 will cover disbursements and legal costs.

Interestingly, there is no mention of Jones v Tsige; the court only discusses PIPEDA cases.

What's the moral of this story? Absent any actual, provable harm, PIPEDA damages are hardly worth pursuing.

Some thoughts on Chitrakar v. Bell TV and damage awards under Canadian privacy law

On Thursday I posted about the new Federal Court case of Chitrakar v. Bell TV (Canadian Privacy Law Blog: Federal Court chastises Bell for accessing customer credit file without consent; $21K in damages) and promised I'd provide some thoughts once I'd had an opportunity to read the decision.

I managed to get a copy of the decision (Chitrakar v. Bell TV, 2013 FC 1103 [Google Doc]) from the Federal Court yesterday and it provides a lot of food for thought and some important questions for practitioners of Canadian privacy law.

In this case, the Court awarded the Applicant $21,000 in total, broken down as $10,000 in general damages, $10,000 in exemplary damages and $1000 in costs. The award of exemplary damages is completely attributable to the Court's view of Bell's handling of the case. They gave him the "royal run-around" and did not even show up in Court to respond to the Applicant's allegations. The Court obviously was not impressed.

But what of the $10,000 in general compensatory damages? What was alleged is that Bell TV had done a credit inquiry on the Applicant without the full knowledge and consent of the Applicant. (The inquiry was made one month BEFORE the customer had signed any agreement with Bell.) The credit inquiry, in and of itself, may have a negative impact upon a consumer's credit rating. The Applicant was subsequently denied a loan, but it was not proved that this was attributable to Bell's credit inquiry. So, in the end, the Court awarded $10,000 for a credit inquiry without consent that may or may not have actually caused any harm or damage to the Applicant.

The Court's discussion of how the damage award was arrived at is interesting:

[24] The fixing of damages for privacy rights’ violations is a difficult matter absent evidence of direct loss. However, there is no reason to require that the violation be egregious before damages will be awarded. To do so would undermine the legislative intent of paragraph 16(c) which provides that damages be awarded for privacy violations including but not limited to damages for humiliation.

[25] Privacy rights are being more broadly recognized as important rights in an era where information on an individual is so readily available even without consent. It is important that violations of those rights be recognized as properly compensable.

[26] The Court must bear in mind such factors as meaningful compensation, deterrence and vindication (see Vancouver (City) v Ward, 2010 SCC 27, [2010] 2 SCR 28).

[27] In this case, Chitraker had his rights violated in a real sense with potentially adverse consequences. Bell is a large company for whom a small damages award would have little material impact. Chitraker spent a considerable period dealing with the Bell bureaucracy and in pursuing his claim. These factors suggest that a damages award should not be minimalistic.

The Court found his rights were violated and there may have been consequences (but this was unproven). The Court also found that given the size of Bell, a small damage award would have little material consequence. On this basis, the Court awarded $10,000.

Damage awards under PIPEDA have generally been modest, such as $5000 for an inaccurate credit report that resulted in a loan application being denied and $4500 for a bank sending a customer's records to the customer's soon-to-be ex-spouse following receipt of a subpoena. In many other cases, the courts have declined to award damages at all.

This can and should be contrasted to the Jones v Tsige case from the Ontario Court of Appeal. In that case, which was outside of PIPEDA and established the tort of "intrusion upon seclusion" in Ontario, the Court found that general damages for non-pecuniary loss for that tort would range up to $20,000 and fixed the damages payable at the middle of the range.

While these damage awards appear to remain modest in light of the size of the companies involved, one can easily see how this could multiply in connection with a class-action. If a company adopted a procedure under which hard credit inquiries are routinely carried out before the customer signs any contract, each of those customers may be essentially entitled to $10,000 in compensation. Though we have not yet seen a class-action lawyer devise a way to get a class of complainants through a Privacy Commissioner investigation (which is a pre-requisite for getting to the Federal Court), I am sure that day will come and companies should be mindful that a bad practice spread across a customer base may give rise to a very large cumulative liability.

Federal Court awards minimal damages for good faith violation of PIPEDA by bank

The Federal Court of Canada, in Biron v. RBC Royal Bank, 2012 FC 1095, recently had an opportunity to consider a claim for damages under PIPEDA where the disclosure of personal information was made "in good faith". In connection with a separate proceeding, RBC Royal Bank responded to a series of subpoenas by providing information about a client (who had a joint account with one of the litigants). The individual complained to the Office of the Privacy Commissioner of Canada and then proceeded to the Federal Court seeking damages. Her claim was for punitive damages in the amount of $10,000, $5,000 for distress and inconvenience and $10,000 for moral damages. The court awarded only $2500, plus costs.

The Court noted:

[31] RBC’s conduct in the present matter does not justify an award of damages since any violation of the Act resulted from an error in good faith. According to RBC, its representatives acted in good faith when disclosing the personal information before a judge of the Superior Court, in the absence of any challenge of the subpoena. Furthermore, RBC is of the opinion that Mr. Poirier was authorized to represent Ms. Biron and to agree on her behalf to the disclosure of the personal information contained in the statements of their joint credit card. RBC alleges that Ms. Bouchard was misled when Mr. Poirier told her verbally that she could provide Ms. Grassby with all of the private information without obtaining a Court order and without restriction as to any of the information in the statements regarding Ms. Biron.

With respect to the calculation of damages:

[37] In Randall, above, the Court writes as follows about the damages awarded under section 16 of the Act:

[55] Pursuant to section 16 of the PIPEDA [the Act], an award of damages is not be made lightly. Such an award should only be made in the most egregious situations. I do not find the instant case to be an egregious situation.

[56] Damages are awarded where the breach has been one of a very serious and violating nature such as video-taping and phone-line tapping, for example, which are not comparable to the breach in the case at bar: Malcolm v Fleming (BCSC), Nanaimo Registry No S17603, [2000] BCJ No 2400; Srivastava c Hindu Mission of Canada (Québec) Inc. (QCA), [2001] RJQ 1111, [2001] JQ no 1913.

[38] The alleged damages must also result directly from the fault committed (see Stevens v SNF Maritime Metal Inc, 2010 FC 1137 (CanLII), 2010 FC 1137 at paras 28 and 29). The Court notes further that awarding damages under section 16 of the Act is discretionary (see Nammo, above).

[39] As to punitive damages, the Supreme Court of Canada instructs that these “are restricted to advertent wrongful acts that are so malicious and outrageous that they are deserving of punishment on their own” (see Honda Canada Inc v Keays, 2008 SCC 39 (CanLII), 2008 SCC 39 at para 62). In de Montigny, the Supreme Court stated as follows:

[47] While compensatory damages are awarded to compensate for the prejudice resulting from fault, exemplary damages serve a different purpose. An award of such damages aims at expressing special disapproval of a person’s conduct and is tied to the judicial assessment of that conduct, not to the extent of the compensation required for reparation of actual prejudice, whether monetary or not. As Cory J. stated:

Punitive damages may be awarded in situations where the defendant’s misconduct is so malicious, oppressive and high-handed that it offends the court’s sense of decency. Punitive damages bear no relation to [page88] what the plaintiff should receive by way of compensation. Their aim is not to compensate the plaintiff, but rather to punish the defendant. It is the means by which the jury or judge expresses its outrage at the egregious conduct of the defendant.

(Hill v Church of Scientology of Toronto, 1995 CanLII 59 (SCC), [1995] 2 SCR 1130, at para 196)

[40] In the present proceeding, the Court is of the opinion that, in light of the facts of the case, the damages alleged by Ms. Biron can be tied to RBC’s error. The Court is of the opinion, moreover, that it must consider the fact that Ms. Biron asked RBC to stop disclosing her personal information on two occasions. RBC violated its obligations under subsection 7(3) of the Act by failing to properly protect the personal information of one its clients, a disinterested third party in the divorce proceeding between Mr. Poirier and his ex-wife.

[41] Ms. Biron is also claiming punitive damages in the amount of $10,000. There is, however, no evidence on record demonstrating that RBC committed acts against Ms. Biron that were so malicious and outrageous as to warrant an award of punitive damages.

[42] The only evidence submitted by Ms. Biron in support of her total claim for $15,000 in damages, that is, $5,000 for distress and inconvenience and $10,000 for moral damages, is limited to the representations she had to make to the Privacy Commissioner, the letters sent to RBC and the time spent in helping her spouse in defending himself again his ex-wife’s allegations resulting from the review of the money spent using the joint credit card.

[43] The Court therefore concludes that, given that Ms. Biron, as a third party in a divorce proceeding, objected twice to her personal information being disclosed, that she suffered humiliation under paragraph 16(c) of the Act and that the damages sought by Ms. Biron are directly related to RBC’s fault, the Court awards $2,500 plus interest and costs, to be paid to Ms. Biron by RBC.

Federal Court awards minimal damages under PIPEDA

The Federal Court has recently released its second decision in which damages have been awarded for a breach under PIPEDA. Once again, the degree of damages are very low considering the costs associated with seeking redress before the Federal Court, but this very likely turns on the unique facts of the case.

In Landry v. Royal Bank of Canada, 2011 FC 687 (CanLII), the applicant was embroiled in what appears to be a bitter divorce and was hiding certain bank accounts from her spouse. Her bank was served with a subpoena to produce records. It appears that the bank did not follow its prescribed procedures (which would have avoided the entire mess) and ultimately faxed the applicant's bank records to counsel for her spouse. The applicant complained to the Office of the Privacy Commissioner of Canada, who found her complaint to be "well-founded and resolved".

The applicant started an application in the Federal Court, seeking at least $75,000 in damages. Neither party looked good appearing in court: the bank had not followed its procedures and tried to cover it up. The applicant was essentially caught trying to hide assets contrary to her legal obligations in connection with the divorce proceeding.

In the result, the Court concluded:

[32] Taking into account the contributory fault of the applicant, who was partially responsible for her own problems, and the serious breach committed by the respondent’s employee and its subsequent cover-up, the Court finds that the applicant suffered humiliation under paragraph 16(c) of the Act and that the respondent’s negligence warrants the applicant being compensated but does not give rise to exemplary damages as requested. Consequently, we fix an amount of $4,500 with interest and costs to be paid to the applicant by the respondent.

What is interesting is that the Court awarded any damages at all. The records, if they had been properly processed, would have been released to the applicant's husband and the personal result to her would have been the same. The Court could have said "no harm, no foul", but awarded damages (which are at least symbolic). This may hold out some hope for applicants that, in the right case, substantial damages may be awarded.

Federal Court awards PIPEDA damages due to inaccurate credit report

In what appears to be a break from the recent cases that have declined to award damages to applicants under PIPEDA, the Federal Court in Nammo v. Transunion of Canada Inc., 2010 FC 1284 has just recently awarded damages to an individual whose loan application was declined due to inaccurate information provided by a credit bureau.

The court awarded $5000 in damages after considering the principles to be applied by the court in awarding damages under the statute. It is really worth noting how cases such as Randall v Nubody's is distinguished.

[71] As indicated, PIPEDA provides the Court broad remedial powers and, in my view, s. 16 of PIPEDA permits the Court, in an appropriate case, to award damages even when no actual financial loss has been proven. In Randall v Nubodys Fitness Centres, 2010 FC 681, Justice Mosley found that an award of damages under s. 16 is not to be made lightly and that such an award should only be made “in the most egregious situations.” This is such a situation. In Randall, which involved the disclosure of how often the applicant used his gym membership to his former employer, Justice Mosley determined that the impugned disclosure of personal information was “minimal,” that there had been no injury to the applicant sufficient to justify an award of damages, that the respondent did not benefit commercially from the breach of PIPEDA, that the respondent did not act in bad faith, and, perhaps most importantly, that there was no link between the disclosure and the employer’s alleged retaliation against the applicant. The same cannot be said here. Not only was the disclosure of inaccurate information directly linked to the refusal of the loan and the associated injury to the applicant, but the respondent also profited from the disclosure and acted in bad faith in failing to take responsibility for its error and failing to rectify the problem in a timely manner. The violation of Mr. Nammo’s rights under PIPEDA was not “the result of an unfortunate misunderstanding,” as was the case in Randall. It was a serious breach involving financial information of high personal and professional importance. The fact that there is no precedent for an award of damages under PIPEDA should not impact the Court from making an award of damages where the circumstances and justice demands it. In my view, for the reasons that follow, this is such a case.

...

[74] The Supreme Court found that “to be ‘appropriate and just’, an award of damages must represent a meaningful response to the seriousness of the breach and the objectives of compensation, upholding Charter values, and deterring future breaches.” In my view, the same reasoning applies to a breach of PIPEDA, which is quasi-constitutional legislation.

[75] In Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, the Supreme Court held that the Privacy Act, R.S.C.1985, c. P-21, was quasi-constitutional legislation that must be interpreted with its special purposes in mind. In Eastmond v Canadian Pacific Railway, 2004 FC 852, at para. 100, Justice Lemieux confirmed that PIPEDA also enjoys quasi-constitutional status:

I have no hesitation in classifying PIPEDA as a fundamental law of Canada just as the Supreme Court of Canada ruled the federal Privacy Act enjoyed quasi-constitutional status (see Justice Gonthier's reasons for judgment in Lavigne v. Canada (Office of the Commissioner of Official Languages, [2002] 2 S.C.R. 773 at paragraphs 24 and 25).

[76] Applying the Supreme Court’s reasoning in Ward to PIPEDA applications before this Court indicates that both the question of whether damages should be awarded and the question of the quantum of damages should be answered with regard to whether awarding damages would further the general objects of PIPEDA and uphold the values it embodies. Furthermore, deterring future breaches and the seriousness or egregiousness of the breach would be factors to consider.

[77] One of the central objects of PIPEDA is to encourage those who collect, use and disclose personal information to do so with a degree of accuracy appropriate to the use to which the information is to be put and to correct errors quickly and effectively. I have found that TransUnion failed to collect accurate information on the applicant. Further, when apprised of its error, it failed to address the complaint quickly and effectively. It further failed to quickly and effectively correct the inaccurate information it had disseminated. Lastly, it failed to take responsibility for its error, first blaming CBV, and then in this action attempting to attribute some blame to the applicant. In my judgment, these are circumstances that warrant an award of damages based on the considerations of vindication and deterrence.

Check out the following commentary:

• Case Report – Federal Court considers accuracy principle, orders damages under PIPEDA « All About Information
• Federal Court Awards PIPEDA Damages — Slaw

Canadian courts set high bar for privacy damage awards

Michael Geist's latest Toronto Star column addresses the two recent Federal Court decisions (Stevens and Randall) where the bar for damages has been set (unreasonably?) high. See: Geist: Canadian courts set high bar for privacy damage awards - thestar.com.

Federal Court dismisses damages claims, considers what is compensable under PIPEDA

Dan Michaluk has a good summary of a very recent case from the Federal Court in Stevens v. SNF Maritime Metal Inc., 2010 FC 1137, where a claim for damages was dismissed as essentially an end-run around other potential causes of action. In this case, for wrongful termination. The applicant had apparently defrauded his employer and another company breached PIPEDA by disclosing the applicant's information to the employer. The employee was terminated and claimed damages for the resulting loss.

See: Case Report – Federal Court dismisses application, articulates what damages are compensable under PIPEDA « All About Information.

Important Federal Court decision on "commercial activities" under PIPEDA

Today, the Federal Court of Canada released an important decision on the parameters of "commercial activity" under PIPEDA: State Farm v Privacy Commissioner, 2010 FC 736. Because I was one of the counsel on the case, I can't say much so I'll leave it to Dan Michaluk to provide a full, unbiased summary.

In short, the Court concluded that an insurance company, acting on behalf of its insured in defending a personal injury claim, is not engaged in "commercial activity" so PIPEDA does not apply. Though the case it not specifically followed, this conclusion is consistent with Ferenczy v. MCI Medical Clinics (some commentary here).

Damages under PIPEDA: What does it take to get some damages around here?

Dan Michaluk has a great summary of Randall v. Nubodys Fitness Centres, 2010 FC 681 (CanLII), where the Federal Court was not inclined to award any damages for a breach of PIPEDA. Dan calls it a "conservative approach", but it seems more restrictive than that. See:Case Report – Court espouses preference for conservative approach to PIPEDA remedies - All About Information.

Commissioner can't demand evidence to back-up privilege claims

Dan Michaluk, over at All About Information, has a great summary of a recent case from the Federal Court holding that the Privacy Commissioner of Canada does not have the power to demand evidence to support a claim of privilege, as an exemption to the access principle under PIPEDA. See: Case Report – Federal Court says OPC can’t demand evidence supporting a privilege claim « All About Information.

This is very interesting because since Blood Tribe, the Commissioner has been demanding detailed information about the documents over which privilege is claimed.

This case is Privacy Commissioner of Canada v. Air Canada, 2010 FC 429 (CanLII), 2010 FC 429 (CanLII).

Federal Court of Appeal upholds disclosure of eBay PowerSeller records to CRA

In September of last year, I blogged about a decision of the Federal Court of Canada that ordered eBay to hand over to the Canada Revenue Agency information about Canadian "power sellers". (See: Canadian Privacy Law Blog: Federal court orders disclosure of eBay PowerSeller records to Canada Revenue Agency.)

That decision was appealed to the Federal Court of Appeal, which upheld the decision on November 7, 2008:

eBay Canada Ltd. v. Canada (National Revenue), 2008 FCA 348 (CanLII)

...

[46] In order to induce compliance with a requirement, subsection 231.6(8) provides that a judge may prohibit a person who has failed to comply substantially with the requirement from relying on foreign-based information covered by it in a civil proceeding relating to the enforcement or administration of the Act.

[47] The scheme of section 231.6 suggests that Parliament was concerned that it could be unduly onerous for a person to be required to produce material located outside Canada and in the possession of another person, and that the section may operate in an unduly extraterritorial manner. While these concerns may be taken into account on a review by a judge for unreasonableness, they are largely irrelevant to the information (bulky as it may be) that is the subject of the requirement in the present case.

[48] This is because, with the click of a mouse, the appellants make the information appear on the screens on their desks in Toronto and Vancouver, or anywhere else in Canada. It is as easily accessible as documents in their filing cabinets in their Canadian offices. Hence, it makes no sense in my view to insist that information stored on servers outside Canada is as a matter of law located outside Canada for the purpose of section 231.6 because it has not been downloaded. Who, after all, goes to the site of servers in order to read the information stored on them?

[49] Nor is the extraterritorial application of the Act a significant issue on the present facts. For example, the agreements with eBay Canada expressly provide that they may disclose confidential “eBay System Information” (which the appellants say includes information about PowerSellers) which “is required to be disclosed by order of any court”: Appeal Book, vol. II, pp. 295-96. Nor does the requirement oblige a person outside Canada to do anything.

[50] Counsel concedes that the information identifying PowerSellers registered as having an address in Canada would be located in Canada if the appellants had downloaded it to their computers. In my view, it is formalistic in the extreme for the appellants to say that, until this simple operation is performed, the information which they lawfully retrieve in Canada from the servers, and read on their computer screens in Canada, is not located in Canada.

[51] I would only add that, although Justice Hughes does not frame his reasons by reference to the statutory definition of “foreign-based information” in subsection 231.6(1), he clearly meant that the information in question could be “located” at places other than the site of the servers where it is stored. For example, he stated 2007 FC 930 (CanLII), (2007 FC 930 at para. 23) that information stored electronically outside Canada “cannot truly be said to ‘reside’ only in one place”, and (supra at para. 25) the information required by the Minister “is not foreign but within Canada” for present purposes.

[52] Having concluded that information in electronic form stored on servers outside Canada is in law capable of being located in Canada for the purpose of section 231.6, I now consider whether Justice Hughes’s application of the law to the particular facts of this case was vitiated by palpable and overriding error. In my view, it was not. In finding that the information in question was located in Canada within the meaning of section 231.6, Justice Hughes properly took into consideration the fact that eBay US and eBay International had granted the appellants access to information about Canadian PowerSellers for the purpose of their business, and that they indeed used it for this purpose. The facts support the following conclusion by Justice Hughes (supra at para. 25):

For perhaps corporate efficiency the information is stored elsewhere, but its purpose is in respect of Canadian business. The information is not foreign but within Canada for the purposes of section 231.2 of the Income Tax Act.

[53] Since the facts of this case do not engage section 231.6, it is not necessary to consider whether the presence of that section in the statutory scheme reduces the Minister’s powers under section 231.2 when the requirement relates to “foreign-based information”.

See also: Michael Geist - Federal Court of Appeal Upholds Ebay Power Seller Decision, EXCESS COPYRIGHT: eBay "PowerSeller" data is "both here and there".

Federal court orders disclosure of eBay PowerSeller records to Canada Revenue Agency

Michael Geist, on his great blog, is pointing to an article in yesterday's Globe & Mail, in which the Federal Court of Canada has ordered that eBay Canada turn over records related to Canadian PowerSellers. As the Court's decision says, the Income Tax Act authorizes such fishing expeditions.

What is probably of greatest relevance from a privacy point of view is that the location of the information is not entirely relevant:

[23] The issue as to the reach of section 231.2 when information, though stored electronically outside Canada, is available to and used by those in Canada, must be approached from the point of view of the realities of today’s world. Such information cannot truly be said to “reside” only in one place or be “owned” by only one person. The reality is that the information is readily and instantaneously available to those within the group of eBay entities in a variety of places. It is irrelevant where the electronically-stored information is located or who as among those entities, if any, by agreement or otherwise asserts “ownership” of the information. It is “both here and there” to use the words of Justice Binnie in Society of Composers, Authors and Music Publishers of Canada v. Canadian Ass’n of Internet Providers, 2004 SCC 45 (CanLII), [2004] 2 S.C.R. 427 at paragraph 59. ...

[24] In the present case, eBay Canada has access to and uses information respecting PowerSellers. It is not determinative of the issue that the electronic apparatus storing the information which eBay Canada accesses is outside Canada. The information can be summoned up in Canada and for the usual business purposes of eBay Canada. The situation may be different if the information never had been used in Canada.

[25] To analogize to R. v. Spencer, supra, the information that the bank manager had is summonable from his memory but it was placed in his memory through transactions he witnessed in the Bahamas. Nonetheless, he was required to summon up the information in Canada. Here eBay Canada has access to and uses information stored in a computer for the very purpose of dealing with Canadian PowerSellers. For perhaps corporate efficiency the information is stored elsewhere, but its purpose is in respect of Canadian business. The information is not foreign but within Canada for the purposes of section 231.2 of the Income Tax Act.

See: globeandmail.com: Taxman goes browsing on eBay and Michael Geist - Federal Court Orders eBay To Disclose Power Sellers to CRA.

Federal Court orders Privacy Commissioner to investigate American company

Yesterday, the Federal Court of Canada released what is an important decision related to the jurisdiction of the Federal Privacy Commissioner to investigate organizations outside of Canada, but are trafficking in the personal information of Canadians. Phillipa Lawson, of the University of Ontario, filed a complaint against Abika.com after she ordered, paid for and obtained her own personal information from the information broker. She then complained to the Privacy Commissioner of Canada under PIPEDA. The Commissioner declined to investigate saying that the legislation does not extend to investigating organizations located only in the United States.

Phillipa Lawson sought judicial review of the decision not to investigate and the Federal Court agreed. It concluded that the Privacy Commissioner confused her power to investigate with the effectiveness of the investigation. (Abika refused to participate in the investigation.)

The conclusion of the decision says it all: "In conclusion, PIPEDA gives the Privacy Commissioner jurisdiction to investigate complaints relating to the transborder flow of personal information."

Thanks to Michael Geist for the link.

For additional background, see here.

Finding: PIPEDA access right exists during litigation

In a finding under PIPEDA published on the OPC website, the Assistant Privacy Commissioner of Canada found that an airline's obligation to provide an individual with access to his information continues to exist even if there is litigation pending between the applicant and the organization. See: Commissioner's Findings - PIPEDA Case Summary #352: Airline delays granting access to personal information, citing ongoing litigation (September 8, 2006).

It is also worth noting that the Commissioner's office had to commence an application before the Federal Court in order to get the airline to follow her recommendation.