US Supreme Court Justice reconsiders "third party doctrine"

I linked earlier today to the important case of US v Jones (US Supreme Court says cops need a warrant to GPS track a vehicle). It's an important case, but I think it is worth noting Justice Sotomayor calls the "third party doctrine" into question. It is an aside and not the opinion of the Court, but hopefully is the first of many reconsiderations of this deplorable and outdated legal theory that states you lose any expectation of privacy if your personal information is in the hands of any third party.

Here is her discussion of this point:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellu- lar providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medi- cations they purchase to online retailers. Perhaps, as JUSTICE ALITO notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. See Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected”). Resolution of these difficult questions in this case is unnecessary, however, because the Government’s physical intrusion on Jones’ Jeep supplies a narrower basis for decision. I therefore join the majority’s opinion.

For some discussion of this, check out A Supreme Court Justice's Radical Proposal Regarding The Privacy of Your Google Searches, Facebook Account & Phone Records - Forbes.

US Supreme Court says cops need a warrant to GPS track a vehicle

The US Supreme Court has just released its unanimous decision in US v Jones [PDF], in which the Court held that law enforcement need either a warrant or the owner's permission to attach a GPS tracking device on a vehicle. This is an important decision and the fact that it was unanimous is encouraging.

See also: High Court - Warrant Needed for GPS Tracking - NYTimes.com

Ontario recognizes tort of invasion of privacy

A unanimous panel of the Ontario Court of Appeal has just released its decision in Jones v Tsige, 2012 ONCA 32. The court has recognized that there is a tort of invasion of privacy in Ontario. The decision can be found here: Jones v. Tsige, 2012 ONCA 32, but here is the gist of the tort:

2. Defining the tort of intrusion upon seclusion

a) Introduction

[65] In my view, it is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.

b) Rationale

[66] The case law, while certainly far from conclusive, supports the existence of such a cause of action. Privacy has long been recognized as an important underlying and animating value of various traditional causes of action to protect personal and territorial privacy. Charter jurisprudence recognizes privacy as a fundamental value in our law and specifically identifies, as worthy of protection, a right to informational privacy that is distinct from personal and territorial privacy. The right to informational privacy closely tracks the same interest that would be protected by a cause of action for intrusion upon seclusion. Many legal scholars and writers who have considered the issue support recognition of a right of action for breach of privacy: see e.g. P. Winfield, “Privacy” (1931), 47 L.Q.R. 23; D. Gibson, “Common Law Protection of Privacy: What to do Until the Legislators Arrive” in Lewis Klar (ed.), Studies in Canadian Tort Law (Toronto: Butterworths, 1977) 343; Robyn M. Ryan Bell, “Tort of Invasion of Privacy – Has its Time Finally Come?” in Todd Archibald & Michael Cochrane, Annual Review of Civil Litigation (Toronto: Thomson Carswell, 2005) 225; Peter Burns, “The Law and Privacy: the Canadian Experience” (1976), 54 Can. Bar Rev. 1; John D.R. Craig, “Invasion of Privacy and Charter Values: The Common Law Tort Awakens” (1997), 52 McGill L.J. 355.

[67] For over one hundred years, technological change has motivated the legal protection of the individual’s right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of “the pressing need to preserve ‘privacy’ which is being threatened by science and technology to the point of surrender”: “The Law and Privacy: the Canadian Experience” at p. 1. See also Alan Westin, Privacy and Freedom (New York: Atheneum, 1967). The internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic data bases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled, and the nature of our communications by cell phone, e-mail or text message.

[68] It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

[69] Finally, and most importantly, we are presented in this case with facts that cry out for a remedy. While Tsige is apologetic and contrite, her actions were deliberate, prolonged and shocking. Any person in Jones’ position would be profoundly disturbed by the significant intrusion into her highly personal information. The discipline administered by Tsige’s employer was governed by the principles of employment law and the interests of the employer and did not respond directly to the wrong that had been done to Jones. In my view, the law of this province would be sadly deficient if we were required to send Jones away without a legal remedy.

c) Elements

[70] I would essentially adopt as the elements of the action for intrusion upon seclusion the Restatement (Second) of Torts (2010) formulation which, for the sake of convenience, I repeat here:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

[71] The key features of this cause of action are, first, that the defendant’s conduct must be intentional, within which I would include reckless; second that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action. I return below to the question of damages, but state here that I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.

d) Limitations

[72] These elements make it clear that recognizing this cause of action will not open the floodgates. A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

[73] Finally, claims for the protection of privacy may give rise to competing claims. Foremost are claims for the protection of freedom of expression and freedom of the press. As we are not confronted with such a competing claim here, I need not consider the issue in detail. Suffice it to say, no right to privacy can be absolute and many claims for the protection of privacy will have to be reconciled with, and even yield to, such competing claims. A useful analogy may be found in the Supreme Court of Canada’s elaboration of the common law of defamation in Grant v. Torstar where the court held, at para. 65, that “[w]hen proper weight is given to the constitutional value of free expression on matters of public interest, the balance tips in favour of broadening the defences available to those who communicate facts it is in the public’s interest to know.”

Police coming up empty with justification for "lawful access"

Perhaps not surprising to those who have covered this issue for the past number of years, the special interest groups representing law enforcement are scrambling to come up with examples of why "lawful access" is necessary and their inquiries are drawing blanks. Check it out: Police: No ‘good examples’ of why we need Lawful Access - Jesse Brown - Macleans.ca and Police ‘scrambling’ to justify lawful access laws | FP Tech Desk | Financial Post.

Geist: Are Canada’s digital laws unconstitutional?

Michael Geist's regular column in the Toronto Star is very interesting this week. It highlights that the recent decision of the Canadian Supreme Court regarding a single, national securities regulator throws into question the constitutionality of other federal laws that depend on the "general trade and commerce" power of the Canadian constitution, such as PIPEDA and the new anti-spam law. Geist predicts, rightly I think, that the Privacy Commissioner of Canada will likely face a constitutional challenge to her jurisdiction if she proceeds aggressively for order-making powers.

Check it out: Geist: Are Canada’s digital laws unconstitutional?.

SCC decision on national securities regulation keeps PIPEDA's constitutionality as an open question

Today, the Supreme Court of Canada released its decision in Reference re Securities Act. The Court based much of its decision on existing caselaw, including the General Motors case, which requires certain criteria to be met for the proper exercise of the General Trade and Commerce Power:

As held in General Motors, to fall under the general branch of s. 91(2), legislation must engage the national interest in a manner that is qualitatively different from provincial concerns. Whether a law is validly adopted under the general trade and commerce power may be ascertained asking (1) whether the law is part of a general regulatory scheme; (2) whether the scheme is under the oversight of a regulatory agency; (3) whether the legislation is concerned with trade as a whole rather than with a particular industry; (4) whether it is of such a nature that provinces, acting alone or in concert, would be constitutionally incapable of enacting it; and (5) whether the legislative scheme is such that the failure to include one or more provinces or localities in the scheme would jeopardize its successful operation in other parts of the country. These indicia of validity are not exhaustive, nor is it necessary that they be present in every case. [from the headnote]

It thus remains a live issue whether PIPEDA meets these criteria. The fact that British Columbia, Alberta and Quebec are able to "opt out" by implementing their own substantially similar legislation undermines both (4) and (5).

It will be interesting to see if any such challenge is made or if the Quebec Court of Appeal reference re PIPEDA's constitutionality is ever dusted off.

Privacy Commissioner finding: Laurier Optical inappropriately disclosed customer's information

The Privacy Commissioner of Canada has published its fourth PIPEDA finding of 2011: Commissioner’s Findings - PIPEDA Report of Findings #2011-004: Laurier Optical Improperly Discloses Client’s Personal Information - March 31, 2011. What is most notable is that she "names names", principally because the organization did not respond to her recommendations:

As a result of the circumstances examined in this investigation and the outstanding issues, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.

.

Here is the summary of the investigation and "Lessons Learned":

An individual who was seeking a refund from Laurier Optical because two pairs of prescription eyeglasses didn’t satisfy him, was shocked to discover the company had copied its written response to his request to 10 different parties.

He complained to our Office that the optometry chain, which has locations in Ontario and Quebec, disclosed his personal information without consent and subsequently failed to provide him with access to his personal information.

The man had obtained two prescriptions from Laurier Optical and found that neither satisfied him. As a result, he obtained a prescription from an independent optometrist who worked elsewhere.

After receiving the refund request, Laurier Optical initiated a complaint against the independent optometrist with the Ontario College of Optometrists. The company alleged the optometrist had incorrectly told the complainant that Laurier Optical had not performed a proper eye exam.

In its written response to the refund request, Laurier Optical included the complainant’s home address, telephone number and details of his three prescriptions, as well as a description of the prescription dispute. The complainant felt it contained false statements damaging to his character. The letter also stated that Laurier Optical would ask two other professional bodies and the two biggest lens manufacturing labs in Canada to evaluate the three prescriptions and obtain neutral opinions.

The letter was copied to 10 different parties, including various Laurier Optical officials; the Ontario College of Optometrists; the College of Opticians of Ontario, the independent optometrist; the company that made the complainant’s lenses, as well as another lens manufacturing company.

The complainant also requested access to his personal information held by Laurier Optical, but received no documentation in response.

Following an investigation, our Office found both the disclosure and access complaints to be well founded.

It was not necessary for Laurier Optical to disclose the complainant’s personal information to the College of Opticians or the lens manufacturers in order to demonstrate that the lenses it had provided to the complainant were appropriate. Even if these organizations could provide relevant input, they could have done so without knowing the complainant’s name, address, telephone number or details of the dispute. Similarly, it was not necessary to provide the independent optometrist with this information.

We recommended that Laurier Optical train its staff about PIPEDA’s requirements regarding the protection of clients’ personal information.

The organization did not respond.

As a result of the circumstances examined in this investigation and the outstanding issues, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.

Lessons Learned:

• If an organization is contemplating the disclosure of a client’s personal information without consent, it must ensure that one of the exceptions to consent under subsection 7(3) applies.
  
• The sharing of personal information with other employees or agents of an organization is considered to be a “use” under the Act, rather than a “disclosure.” Therefore, if an organization is contemplating such a use of personal information without the individual’s consent, it must ensure that one of the exceptions to consent under subsection 7(2) applies.
  
• When in receipt of a request for access to personal information, organizations must respond in a meaningful way, even if only to indicate that they have already provided the individual with all of their information.

SCC to release decision on securities regulation that may affect privacy regulation

On Thursday, the Supreme Court of Canada will be delivering its decision In the Matter of Section 53 of the Supreme Court Act, R.S.C. 1985, C. S-26 and in the Matter of a Reference by the Governor General in Council concerning the proposed Canadian Securities Act, as set out in Order in Council P.C. 2010-667, dated May 26, 2010 (33718).

What does this have to do with privacy, you ask? A lot. Our federal privacy law is on shaky constitutional ground, as it may reasonably be characterized as an incursion into purely provincial jurisdiction in the regulatory realm. We'll see what the SCC has to say about securities regulation, which may have a real spill-over into privacy regulation.

Beware of "surveillance by design" symposium

The Information and Privacy Commissioner of Ontario is organizing a symposium about "Surveillance by Design" which should be very interesting:

Upcoming Events « Privacy by Design

Beware of "Surveillance by Design" Symposium

Date January 27th, 2012

Time: 09:00 AM - 11:00 AM

Location: MaRS Discovery District, MaRS Centre South tower, Suite 100 (Auditorium – Lower Level), 101 College St., M5G 1L7 Toronto, ON, Canada

Beware of "Surveillance by Design:"

The Threat of Looming “Lawful Access” Legislation

Join Ontario's Information and Privacy Commissioner Dr. Ann Cavoukian and leading privacy, legal, and academic experts as we discuss the implications of “lawful access” legislation in Canada

Concern is mounting regarding the impact of proposed “lawful access” legislation in Canada. Media coverage has greatly increased, with this issue becoming a hot topic of discussion by all stakeholders, from the legal community to telecom providers. The Information and Privacy Commissioner of Ontario has been instrumental in bringing attention to this upcoming legislation — which in our view, would represent a system of “surveillance by design.”

The anticipated re-introduction of a trio of federal bills (Bills C-50, C-51, C-52) will provide police with much greater ability to access and track information, via the communications technologies that we use every day, such as the Internet, smart phones, and other mobile devices, including without a warrant or oversight. Taken together, the three pieces of legislation will diminish the privacy rights of Ontarians and indeed of all Canadians.

We have an opportunity to raise awareness on this very important issue, with the goal of impacting the legislation as it is re-introduced. Please join us as we bring together diverse thought leaders to discuss the implications of these federal bills.

The event is being held to celebrate International Privacy Day, marking 31 years since the first binding international convention of privacy came into force.

We are delighted to have as guest speakers:

• Dr. Ron Deibert, Professor, Political Science, University of Toronto
  
• Nathalie Des Rosiers, General Counsel, Canadian Civil Liberties Association
  
• David Fraser, Lead, McInnes Cooper Privacy Practice Group
  
• John Ibbitson, Ottawa Bureau Chief, Globe and Mail

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

Hogan Lovells Chronicle of Data Protection has a good summary of what's expected in the reform of European Data Protection laws in the coming year: Details of EU Data Protection Reform Reveal Dramatic Proposed Changes : HL Chronicle of Data Protection.