Canadian Privacy Law Blog

10 Ways Canada’s Consumer Privacy Protection Act Will Impact Privacy Practices

2020-11-19T13:16:00.006-04:00

We just posted this on the McInnes Cooper client information site:

10 Ways Canada’s Consumer Privacy Protection Act Will Impact Privacy Practices
November 19, 2020
By Sarah Anderson Dykema, CIPP/C, Lawyer at McInnes Cooper,
David Fraser, Privacy Lawyer | Partner at McInnes Cooper
On November 17, 2020, the federal government proposed dramatic changes to how Canada will enforce privacy law, ushering in a new legal regime to protect individuals’ personal information – and to regulate organizations’ privacy practices. Bill C-11: the Digital Charter Implementation Act creates the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information and Electronics Documents Act (PIPEDA), and codify in law organizations’ obligations respecting the collection, use and disclosure of personal information rather than merely rely on the Canadian Standard Association (CSA) Model Code. The federal government says it estimates 18 months for the CPPA to go through the legislative process and become law, though this is always difficult to gauge. It might be derailed by, for example, a federal election or the ongoing COVID-19 Pandemic – but it might not.
It’s still early days, but if the CPPA (or some form of it) passes, it will take organizations time to put the necessary compliance processes in place. Here are 10 ways the Consumer Privacy Protection Act will impact organizations’ Canadian privacy practices.
1. Big Penalties. There will be significant penalties for non-compliance with the CPPA. It authorizes administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is higher, for the most serious offences. Currently, PIPEDA only authorizes penalties for breach of the Digital Privacy Act, and those are markedly lower than those under the CPPA: the maximum fine for breaching the Digital Privacy Act is $100,000 per violation (though if there were multiple violations, which would not be uncommon, the fines could add up).
2. Privacy Commissioner Powers. In a move away form the traditional ombudsman model, the CPPA gives the federal Privacy Commissioner broad power to make orders against organizations and to recommend penalties to a new “Personal Information and Data Protection Tribunal”. Under PIPEDA, the Privacy Commissioner only has the power to make recommendations to a breaching organization.
3. New Tribunal. A new “Personal Information and Data Protection Tribunal” will determine and levy any penalties – which will have the effect of a court order – and hear appeals from orders of the Privacy Commissioner.
4. Global Application. The new law takes an expansive approach to applicability, expressly applying to all personal information an organization collects, uses or discloses, including interprovincially or internationally. This reflects the increased digitization and globalization of the global economy, which knows no border, and which the COVID-19 Pandemic has accelerated.
5. New Right of Action. It creates a new privacy breach legal claim. Where the Privacy Commissioner decides an organization violated an individual’s privacy under the CPPA, and the Personal Information and Data Protection Tribunal upholds that finding, that individual can sue the organization (within 2 years) for compensation for the violation.
6. Data Portability & Deletion. It provides for new individual rights of data portability and deletion. Consumers can require an organization to transfer their data to another organization (subject to regulations that aren’t yet available), likely to be a boon to open banking. Individuals can also require that an organization delete the personal information it’s collected about them, subject to some limitations, in what appears to be a limited form of the “right to erasure”.
7. Algorithmic Transparency. It requires algorithmic transparency. Consumers would now have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision.
8. Consent Exceptions. It “simplifies” consent requirements for organizations by making some (potentially broad) exceptions to when an organization must obtain an individual’s consent to the collection, use or disclosure of the individual’s personal information, such as where the use of personal information is core to the delivery of a product or service. This could impact, for example, the information an organization must communicate in a privacy policy.
9. Data De-Identification. It makes new rules around the de-identification of data – including allowing for organizations to use an individual’s personal information without their consent in order to de-identify their data, but appears to limit other uses of de-identified data. Under certain circumstances, organizations can also disclose de-identified data to public entities for socially beneficial purposes.
10. Codes of Practice. It introduces the concept of “Codes of Practice”. The CPPA allows private organizations to establish a “code” and internal certification programs for complying with the law that the Privacy Commissioner will approve. Once approved, the “code” will effectively establish the organization’s legal compliance obligations.

Presentation: Privacy and Cybersecurity - latest trends and legal obligations

2020-11-18T15:15:00.000-04:00

I was invited to speak at the 2nd Annual Atlantic Technology Summit on the topic of cybersecurity, privacy and the law. Not surprisingly, the entire conferene this year was online but it was all well attended.

In case it is of interest to others, here's the presentation I gave which started with a few case studies and then an overview of the current environment affecting legal risk. Of course, the slides were prepared before C-11 dropped though I was able to comment during the presenation that the stakes will get even higher with any breach of security safeguards.

Presentation: Little Brother - Surveillance Technology and Privacy Law

2020-10-07T11:02:00.002-03:00

I had the pleasure of speaking at the University of New Brunswick Law School's weekly speaker hour, on the topic of non-police use of surveillance technology and how that intersects/collides with Canadian privacy laws. Here are the slides in case it's of wider interest ...

Privacy best practices in a pandemic public health emergency

2020-04-10T12:52:00.000-03:00

Since the early days of the COVID-19 pandemic, privacy questions have been in the headlines. International media reported stories from Asia about smartphones being used to enforce quarantine orders. In Ontario, Premier Ford suggested using telecom data to track social isolation compliance and more recently the Quebec police announced that it had arrested a woman in violation of a quarantine order by tracking her down via her cellphone.

Companies are wondering what information they can require from employees about their health, diagnosis or risk factors, and what information they can provide to public health authorities if asked. Companies also have similar questions about customer information.

What privacy laws apply?

Since Canada has a patchwork of privacy laws, the first question is always whether a privacy law applies at all and if so, which one. In Atlantic Canada, public sector employers and “federal works, undertakings and businesses” are subject to privacy regulation for employee information, but the private sector is only covered for customer information. The majority of private-sector employers in Canada (other than in British Columbia, Alberta and Quebec) fall in the gap without privacy regulation for the workplace. Even if no law applies, this does not mean that privacy should be thrown out the window.

Companies should be guided by privacy best practices described below, all of which are embodied in privacy statutes across Canada. These best practices align closely with what employees have come to expect regarding handling of their personal information. Organizations that adopt these principles generally avoid negative reaction from employees that their personal information has been misused. Transparency also encourages honest reporting, as individuals are usually more comfortable with disclosing personal information to an organization that is forthright about how they propose to use the information.

Organizations should be concerned about the relatively new common law causes of action for “intrusion upon seclusion” and “public disclosure of private facts”. Given that health information is particularly sensitive and the irrational stigma that seems to attach to COVID-19 disease, one might allege that disclosing infection risk or status to others may meet the “highly offensive to a reasonable person” threshold for the torts. Applying best practices would minimise the risk of liability.

Balancing privacy with public and occupational health

For employers, what should emerge is a careful balance between privacy principles and legitimate occupational health and safety concerns. The occupational health and safety imperative is a legal one, on both the employer and the employees, as the Occupational Health and Safety Act of Nova Scotia places obligations on both sides to ensure a safe workplace. Given the mode of transmission of the novel coronavirus, employers have a responsibility to keep employees who are at risk of spreading infection out of their workplaces. Some companies have decided to take the temperature of everyone entering the premises and excluding anyone with a fever. Others have adopted questionnaires or mandatory reporting of risk factors. Each of these scenarios involves the collection of personal information, so tread carefully.

What practices to adopt should be informed by the following privacy best practices:

(i) the collection of personal information must be justified, reasonable and non-discriminatory;

(ii) individuals should be given notice of the purposes for the collection, use and disclosure through policy or other direct communications such as signage;

(iii) personal information collected should be restricted to the minimum that is reasonable in the circumstances;

(iv) personal information should only be used for those purposes and should not be disclosed further than necessary; and

(v) the personal information should be accurate, as it will be used to make a decision of whether the employee, contractor or visitor will be permitted to work in the workplace.

What is justifiable and reasonable should be informed by the latest information from public health.

Disclosing personal information to public health authorities

Until recently, public health officials have largely been out of the spotlight, but they have been discreetly and diligently working to contain public health hazards, such as sexually transmitted infections. They are often been given special powers to do so, which includes the ability to require personal information from others. For example, in Nova Scotia, section 15 of the Health Protection Act gives the Chief Medical Officer of Health or his delegate broad powers to order information from third parties. Every privacy law in Canada permits disclosures where required by law and many also permit disclosures where it’s reasonably necessary related to the health and safety of the individual. Obviously, check your local statutes.

That said, we have to be very, very careful about attempts to get data in bulk, such as location data from telcos.

While health and safety are of course top of mind in this pandemic, privacy considerations should also be taken into account.

[Note: This post is based on an upcoming article for the Canadian Bar Association - Nova Scotia's Nova Voce magazine.]

Ontario court adopts the "false light publicity" privacy tort

2020-02-17T08:23:00.000-04:00

Regular readers of this (irregular) blog will recall the milestone case of Jones v Tsige, in which the Ontario Court of Appeal imported into Canada the US privacy torts. That list includes:

1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs.
2. Public disclosure of embarrassing private facts about the plaintiff.
3. Publicity which places the plaintiff in a false light in the public eye.
4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.

The fourth cause of action, commercial appropriation of the plaintiff's image, was already alive and well in Canadian tort law. The Court in Jones applied the "intrusion upon seclusion" tort and subsequent cases have applied "public disclosure of private facts" (See Ontario court explicitly adopts new privacy tort: public disclosure of private facts.)

In December 2019, the Ontario Superior Court of Justice explicitly recognized the "false light" privacy tort. In Yenovkian v. Gulian, 2019 ONSC 7279, Justice Kristjanson was dealing with an unpleasant family law case in which the husband had made wild accusations against his former spouse, particularly related to their two children. The judge noted, with respect to the list of privacy torts:

[170] With these three torts all recognized in Ontario law, the remaining item in the “four-tort catalogue” of causes of action for invasion of privacy is the third, that is, publicity placing the plaintiff in a false light. I hold that this is the case in which this cause of action should be recognized. It is described in § 652E of the Restatement as follows:

Publicity Placing Person in False Light

One who gives publicity to a matter concerning another that places the other before the public in a false light is subject to liability to the other for invasion of his privacy, if

(a) the false light in which the other was placed would be highly offensive to a reasonable person, and

(b) the actor had knowledge of or acted in reckless disregard as to the falsity of the publicized matter and the false light in which the other would be placed.

[171] I adopt this statement of the elements of the tort. I also note the clarification in the Restatement’s commentary on this passage to the effect that, while the publicity giving rise to this cause of action will often be defamatory, defamation is not required. It is enough for the plaintiff to show that a reasonable person would find it highly offensive to be publicly misrepresented as they have been. The wrong is in publicly representing someone, not as worse than they are, but as other than they are. The value at stake is respect for a person’s privacy right to control the way they present themselves to the world.

While I don't propose to list all the misconduct the husband was found to have carried out, this summary at the beginning of the decision is helpful for context:

[2] It is also about a father, Mr. Vem Yenovkian, who has engaged in years of cyberbullying of the mother, Ms. Sonia Gulian on websites, YouTube videos, online petitions and emails. It is about a father who videotapes court-ordered access visits with the children—both in-person and on Skype—and edits and posts those access visits and photographs of the children on the internet, with commentary. It is about a father who publicly posts on YouTube a video of his son cowering under a table while the father harangues him over Skype on a court-ordered access visit. It is about a father who posts videos of him describing his daughter, who suffers from a neurological disorder, as looking drugged, when she used to be “normal,” and posting that his daughter has a “broken” mind.

[3] Despite court orders prohibiting posting, the father continues his cyberbullying campaign abusing Ms. Gulian and her parents. He seeks to undermine the administration of justice through an online campaign to “unseat” a judge of this Honourable Court for rulings made, internet attacks on trial witnesses and the wife’s lawyer, and by flouting court orders and family law disclosure obligations.

The Court in this case did not follow the $20,000 "cap" on non-pecuniary damages set out in Jones v Tsige, but rather followed the divergent train of thought started with the Doe case:

[186] There is no claim for pecuniary damages; the only issue is non-pecuniary damages. The infliction of mental suffering and invasion of privacy are based on many of the same facts.

[187] On damages for intrusion on seclusion, the Court of Appeal in Jones v. Tsige held at paragraphs 87-88 that damages for intrusion upon seclusion in cases where the plaintiff has suffered no pecuniary loss should be modest, in a range up to $20,000. The important distinction with the two invasion of privacy torts in issue here, however, is that intrusion on seclusion does not involve publicity to the outside world: they are damages meant to represent an invasion of the plaintiff’s privacy by the defendant, not the separate and significant harm occasioned by publicity.

[188] The two Jane Doe cases have recognized that the cap on damages for intrusion upon seclusion may not apply to the other forms of invasion of privacy: Jane Doe 2016 at para. 58; Jane Doe 2018 at paras. 127-132. In this case, as is in those, the “modest conventional sum” that might vindicate the “intangible” interest at stake in Jones v. Tsige, para. 71, would not do justice to the harm the plaintiff has suffered.

[189] In Jane Doe 2016, at para. 52, Stinson J. turned to sexual battery cases for guidance in arriving at an award, and Gomery J. in Jane Doe 2018, at paras. 127-128 followed the same approach. In support of this approach, Stinson, J. pointed to the similarly of the psychological and emotional harm the plaintiff had suffered to that experienced by victims of sexual assault.

[190] I likewise adopt the method of looking to the factors applied to decide damage awards for a tort causing harms analogous to those the present plaintiff has suffered for invasion of privacy. The harm arising from the invasion of privacy in the present case is akin to defamation. Accordingly, in arriving at an award of non-pecuniary damages, I am guided by the factors described by Cory J. in Hill v Church of Scientology, at para. 187, which I am adapting to the tort of publicity placing a person a false light:

a) the nature of the false publicity and the circumstances in which it was made,
b) the nature and position of the victim of the false publicity,
c) the possible effects of the false publicity statement upon the life of the plaintiff, and
d) the actions and motivations of the defendant.

[191] In this case, the false publicity is egregious, involving alleged criminal acts including by Ms. Gulian against her children. The false publicity is widely disseminated on the internet, as well as through targeted dissemination to church friends and business associates. Ms. Gulian has suffered damage as a mother, as an employee, in the Armenian community, and in her church community. She is peculiarly vulnerable as the spouse of the disseminator of false publicity. The false publicity has had a detrimental effect on Ms. Gulian’s health and welfare, humiliation, caused her fear, and could be expected as well to affect her social standing and position. Mr. Yenovkian has not apologized, nor has he retracted the outrageous comments despite court orders.

[192] The damages for intentional infliction of mental suffering are intended to be compensatory. I award $50,000 compensatory damages for intentional infliction of mental suffering, relying on Boucher v. Wal-Mart Canada Corp., 2014 ONCA 419.

Privacy Commissioner again upends the consensus on transfers for processing in Aggregate IQ investigation

2019-12-11T18:02:00.001-04:00

You may recall earlier this year when the Canadian Privacy Commissioner completely revised the previous consensus by concluding that a "transfer for processing" was a disclosure that requires consent, along with any cross-border transfer of personal information. The Canadian privacy and business community were shocked by this reversal and the Commissioner eventually reversed this position, returning to the status quo.

Once again, the OPC has upended the consensus on using contractors to process information on behalf of a client.

The Privacy Commissioner of Canada and the Information and Privacy Commissioner of British Columbia together released their reports of findings into Aggregate IQ on November 24, 2019, following their joint investigation of the company. You may recognize the name of the company, as it was implicated in the many international Cambridge Analytica investigations. It was a contractor to the now infamous company that was implicated in a range of mischief related to the Brexit campaign and the US 2016 presidential election.

As a Canadian company, it should not be surprising that Aggregate IQ would come under scrutiny in Canada. What is surprising is that the result of the investigation essentially turns a whole lot of Canadian thinking about privacy and contracting out of services on its head, and also seems to ignore binding precedent from the Federal Court of Canada.

Aggregate IQ is essentially a data processing company that works on behalf of political parties and political campaigns. They take data from the campaigns, sort it, supplement it and sometimes use it on behalf of their clients. They key is that they do this work on behalf of clients.

Superficially, it may make sense to conclude that a Canadian company is subject to Canadian privacy laws. But the working assumption has always been that companies that collect, use and disclose personal information on behalf of clients are subject to the laws that govern their clients and their clients' activities. Those "trickle down" through the chain of contracts and sub-contracts. What's shocking is that the OPC has concluded that compliance with those laws is not enough. Processors in Canada, they say, have to also comply with Canadian laws even when they are incompatible with the laws that regulate the client.

For example, Aggregate IQ did work on a mayoral campaign in Newfoundland. No privacy law applies to a mayoral campaign in Newfoundland, but nevertheless the OPC says that Aggregate IQ needed consent for their use of the information on behalf of the candidate. The campaign did not need consent, but the OPC concluded that by using a contractor, the campaign is subject to more laws and additional burdens than the government of Newfoundland has concluded are necessary. Similarly, the OPC says that Aggregate IQ needed consent under PIPEDA for what they were doing on behalf of US and UK campaigns, even though the activity is largely unregulated in the US and consent is not required in the UK (using legitimate bases for processing under the GDPR). Setting aside whether the campaigns were actually complying with their local laws, the conclusion from the OPC is that additional Canadian requirements will be overlaid on top of the laws that should actually matter and actually have a close connection to what's really going on.

Until this point, the consensus has generally been that when a contractor is handling data for a customer, the obligations that lie on the customer flow down to the contractor. Similar to the “controller” and “processor” scheme in GDPR.

Canadian privacy law applies to the collection, use and disclosure of personal information in the course of commercial activity. And you'd think that Aggregate IQ is engaged in commercial activity so PIPEDA would apply. But that's not the case. If a contractor is collecting, using or disclosing personal information on behalf of a client, you have to look at that client's purposes. The Canadian Federal Court clearly concluded this in State Farm v Privacy Commissioner.* In that case, the OPC asserted its jurisdiction over an insurance company because they were clearly commercial, even when acting on behalf of an individual defendant in a car accident lawsuit. The Federal Court firmly disagreed. One has to look at what's really going on. State Farm was not handling personal information on its own behalf, but on behalf of its insured who was not subject to any privacy regulation for that activity. The same principle applies here. If Newfoundland has decided not to regulate how mayoral candidates collect and use personal information, it makes no difference if they use that information themselves or hire a contractor to do that.

This upends what has been understood to be the way things work. And it has worked.

And it is really bad public policy. It puts Canadian companies at a significant disadvantage in very competitive industries. While many people say that GDPR is much more privacy protective, there are many circumstances where personal data can be processed without consent, but based on a legitimate interest. A company or campaign in Europe would be much better off hiring a European company if hiring a Canadian company meant that the legitimate interest is disregarded and a Canadian consent requirement were superimposed. The same would apply to a Canadian campaign: the campaign that complies with whatever laws apply to it directly is suddenly subject to additional rules if it hires a contractor to carry out what would otherwise be a compliant and lawful activity.

It is also really bad public policy because if you take it to the logical conclusion, it means that Canadian governments cannot hire contractors to process or use personal information on their behalf. All Canadian public sector privacy laws are based on "legitimate purposes", so consent is not required where the collection, use or disclosure is lawfully authorized and legitimate. But this finding by the OPC would say that the contractor has to get consent under PIPEDA for whatever they do for their public sector client. This is not workable and I hope is an unintended consequence.

Beyond that, I'm not sure what to say. It appears that Aggregate IQ has agreed to follow the Commissioner's recommendations, so this will not be given the chance to be corrected by the Federal Court.

How this will play out in future cases remains to be seen.

* I should note that I was counsel to State Farm in that case.

Presentation: Access to Government Information

2019-11-23T10:32:00.000-04:00

On Friday, November 23, 2019, I had the pleasure of presenting on the topic of access to government information with Janet Curry of the Workers Compensation Board at the Canadian Bar Association - Nova Scotia branch annual professional development conference. In case it's of interest, here's our presentation.

ACCESS TO GOVERNMENT INFORMATION (FOIPOP AND BEYOND!)

David Fraser, McInnes Cooper; Janet Curry, Workers’ Compensation Board of Nova Scotia

The panel will share their perspectives on advising clients on requests for access to information held by government and public bodies. They will share best
practices and tips from both sides – those making requests for access to information, and those responding to such requests.

You can download it in PDF format here.

Presentation: Surveillance tech and privacy laws

2019-11-20T10:38:00.001-04:00

I was honoured to be asked to give a breakfast presentation to the Canadian Security Association Atlantic Chapter on surveillance and security technology and the law. In case it's of broader interest, here's the presentation:

You can also grab it as a PDF here.

What a CLOUD Act agreement will look like for Canada

2019-10-14T13:16:00.000-03:00

The United States Department of Justice and the United Kingdom Home Office have announced that the two countries have signed a bilateral agreement “On Access to Electronic Data for the Purpose of Countering Serious Crime”. The Agreement is intended to be a bilateral agreement of the type anticipated under the CLOUD Act. Passed in March 2018, partially to address the litigation against Microsoft related to evidence in Ireland, the CLOUD Act authorizes the United States to enter into executive agreements with other countries that meet specific criteria related to rule of law, civil rights and privacy. Once laid before Congress and approved, the result is to lift each party’s legal barriers that prevent one country’s legal processes from being recognized in the other. Many countries have been seeking an alternative to the traditional channels of mutual legal assistance, which are seen as time consuming and cumbersome.

When it comes to orders directed at US custodians of information, the main barrier to be overcome is the American Stored Communications Act that prohibits most US service providers from providing the content of communications except in response to a US court order. These can be obtained via the mutual legal assistance system, but all the steps required to obtain these orders are seen by law enforcement and cumbersome and time consuming. Under a CLOUD Act executive agreement, US service providers will no longer be prohibited from providing such content in response to an appropriate foreign order. It is very important to note that the CLOUD Act does not make foreign orders enforceable (with full force of a domestic court order) in the United States, but merely removes this barrier.

On the UK side of the equation, changes were made in UK law to permit this under the Crime (Overseas Production Orders) Act 2019, which received Royal Assent in February 2019. The Agreement will enter into force following a six-month Congressional review period mandated by the CLOUD Act, and the related review by UK’s Parliament.

Australia has already announced that it is seeking its own CLOUD Act executive agreement, and Canada is rumoured to be in similar discussions.

The Canadian Association of Chiefs of Police have been lobbying pretty hard for an executive agreement between Canada and the US, and called for it in their 2018 Annual Resolutions:

BE IT FURTHER RESOLVED that the Canadian Association of Chiefs of Police urges the Government of Canada to negotiate a bilateral data-sharing agreement with the United States of America who are authorized to do so pursuant to the CLOUD Act, and;

BE IT FURTHER RESOLVED that the Canadian Association of Chiefs of Police seeks a commitment from the Government of Canada for meaningful consultation with the CACP during the development of these instruments.

So what would this look like for Canada? The CLOUD Act and executive agreements are based on reciprocity, meaning that not only can Canadian law enforcement obtain information from US-based service providers, but American law enforcement can obtain information from Canadian-based information custodians. Currently, that’s mostly a no-go except through the MLAT.

In order for Canada to sign an executive agreement and give it effect, it would have to amend the Criminal Code and other statutes to give Canadian production orders extraterritorial effect or to create a new class of production orders, in a manner that is similar to the UK Crime (Overseas Production Orders) Act 2019. Notwithstanding the wishful thinking of many in Canada’s law enforcement community (relying, in part, on the wrongly-decided Brecknell decision from BC), Canadian production orders to not operate extraterritorially.

Removing Canadian legal barriers to foreign court orders that are subject to the bilateral executive agreement will likely be the most controversial part of the process. Canadians likely do not mind if Canadian law enforcement are able to obtain data about Canadian suspects in Canadian criminal investigations from foreign service providers. They likely will care about whether US law enforcement can obtain access to information from Canadian service providers.

Currently, all Canadian privacy laws prevent disclosure to foreign law enforcement under foreign orders. That includes private sector privacy laws, like the federal Personal Information Protection and Electronic Documents Act and provincial equivalents. The list would also include the health privacy laws in effect in most Canadian provinces, and each public sector privacy law. Currently, the public sector laws in British Columbia and Nova Scotia specifically prohibit disclosures in response to “foreign demands for disclosure”. This will either have to be removed or Canada will need to negotiate an exception in its executive agreement with the US to carve out information that is subject to public sector privacy laws.

What will likely be lost in the discussion and debate is the fact that CLOUD Act agreements are not intended to simply give effect to all orders from the other state. They are intended to create a form of passing lane in the MLAT for certain kinds of orders where the requesting state has a strong interest in the data and the receiving state has a minimal interest. For example, Canadian authorities can’t use a qualifying order to get information about a US suspect from a US service provider. Those would still have to go through the MLAT, subject to close scrutiny by American authorities. Likewise, US authorities should not be able to obtain information about Canadians from a Canadian service provider under this arrangement.

What also needs to be emphasised is that any Canadian amendments should not go any further than mirroring the changes made in the US law. The CLOUD Act does not make foreign orders enforceable (with full force of a domestic court order) in the United States, but merely removes certain barriers. Canadian amendments should do the same and make sure that a Canadian service provider has resort to Canadian courts and the Charter to review any foreign demands. And these orders should be limited to serious crimes.

I expect it will be an interesting discussion when it is finally announced. I would hope there is meaningful discussion, rather than just unveiling it as a fait accompli.

Another privacy class action dismissed due to lack of compensable damages

2019-08-22T12:12:00.001-03:00

Privacy class actions seem to be having a bit of a rough time as of late.

“The need to change a password at a higher frequency cannot give rise to a serious compensable loss claim.”

Following a trend that has become reasonably well established in Québec and is expanding across Canada, the province’s Superior Court has refused to certify a privacy class action on the basis that the representative plaintiff did not experience any compensable harm. In Bourbonnière c. Yahoo! Inc., Justice Tremblay considered a certification application brought by a putative class of individuals affected by a range of data breaches suffered by Yahoo! Inc. and Yahoo! Canada Corp. Yahoo! had announced a number of incidents, including one that saw information about 500 million users stolen in 2014, another in 2013 which also involved information theft and unauthorized access to account data using a forged digital cookie file.

The representative plaintiff testified that she had no reason to believe that she had been a victim of identity theft or fraud as a result, and had not identified any suspicious financial transactions. In addition, she continues to use her Yahoo! mail account and has not signed up for any identity theft protection or credit monitoring products.

The Court summarized her harm at paragraphs 36 and 37:

[36] In summary, Plaintiff has not incurred any out-of-pocket costs associated with the protection of her personal and/or financial information.

[37] The only prejudice suffered by the Plaintiff relates to the inconvenience of having to change her passwords in all of the accounts associated with her Yahoo email address and the alleged embarrassment suffered as a result of spam emails that were sent to her friends. The Court is of the view that such prejudice is insufficient to justify a class action.

This conclusion was based on a growing line of authorities in Québec. The Court referred to Mustapha v. Culligan of Canada Ltd of the Supreme Court of Canada, standing for the proposition that “compensable injury must be ‘serious and prolonged’ and rise above the ordinary annoyances, anxieties and fears that a person living in society may experience”.

[42] Similarly, in Mazzonna, a case involving the loss of data tape, the Superior Court concludes that the anxiety felt by the plaintiff upon and after learning that her personal information had been lost and the modification of habits in the manner in which she managed her bank account, is not enough to meet the threshold, even on a prima facie basis, of the existence of compensable damages.

[43] The present case can be distinguished from other data security incident cases such as Zuckerman and Belley since, unlike these two other cases, Plaintiff has not incurred any expenses for credit monitoring services nor was she a victim of identity theft.

[44] The transient embarrassement [sic] and inconveniences invoked by the Plaintiff are of the nature of ordinary annoyance and do not constitute compensable damages recoverable under the applicable law. Indeed, the need to change a password at a higher frequency cannot give rise to a serious compensable loss claim.

The Court also had issues with the composition of the class, particularly a subclass referred to as the “Collateral Victims”, being “all other persons, businesses, entities, corporations, financial institutions or banks who suffered damages or incurred expenses as a result of the data security incidents”. As the plaintiffs had not identified any single “Collateral Victim”, the court concluded that this particular subclass was “artificial” and questioned its existence.

The application for certification was dismissed. It is notable that a parallel Ontario proceeding is ongoing.

A previous version of this was written for the Canadian Technology Law Association newsletter.

Presentation: What’s new in cross-border digital evidence gathering for criminal investigations?

2019-05-10T12:18:00.000-03:00

I was invited to present at the High Technology Crime Investigation Association's first annual Canadian Cyber Summit.

I spoke about recent issues and trends in cross-border criminal investigations originating in Canada, starting with the current state of affairs and the Mutual Legal Assistance Treaty regime, issues caused by blocking statutes and what the CLOUD Act will mean for Canadian investigators.

In case it's of broader interest, here's the presentation:

My Atlantic Security Conference 2019 Presentation: The New Privacy and Cybersecurity Legal Risk Landscape (or how to play nicely with lawyers)

2019-04-25T18:19:00.000-03:00

I was invited back this year to the Atlantic Security Conference as a speaker. It's a great event and shows that Halifax really punches above its weight when it comes to tech and skills.

Another great talk from @privacylawyer. Day one of @AtlSecCon going well. pic.twitter.com/xdxteCRsJn
— Jacob Goulden (@JacobGoulden) April 24, 2019

My presentation was on The New Privacy and Cybersecurity Legal Risk Landscape (or how to play nicely with lawyers), focusing on the drivers that are forcing a convergence between privacy and infosec. It also talks about the skills that infosec folks can cultivate to become of greater value to their clients, by developing skills to translate between business folks and lawyers on security issues. The crowd was great with some fantastic questions.

Here's the presentation for anyone who may be interested.

Privacy Commissioner proposes new guidance on crossborder transfers, requiring consent for all outsourcing

2019-04-20T10:24:00.000-03:00

In seeking to revise crossborder dataflows, the OPC’s position would require consent for all transfers of personal information for processing

The Office of the Privacy Commissioner of Canada (OPC) has initiated a consultation that proposes to completely reverse its previous guidance on crossborder dataflows under the Personal Information Protection and Electronic Documents Act (PIPEDA). And because they are trying to fit a round peg in a square hole, their position -- if implemented -- will have a huge impact on all outsourcing.

In 2009, the OPC published a position that was consistent with the actual wording of the statute. It held that when one organization gives personal information to a service provider, so that the service provider can process the data on behalf of the original organization, it was a transfer and not a disclosure. This is an important distinction because transfers do not require consent from the individual, as is the case with a disclosure. Data is disclosed when it is given to another organization for use by that organization for its own purposes. In a transfer scenario, the personal information is protected by operation of the accountability principle, which means the organization that originally collected the data and has transferred it to a service provider remains responsible for the personal data and has to use contractual and other means to make sure that the service provider takes good care of the personal information at issue. Importantly, in its 2009 guidance, the OPC correctly noted “PIPEDA does not distinguish between domestic and international transfers of data.” Consent was not required, but the OPC did recommend that notice be given to the individual:

Organizations must be transparent about their personal information handling practices. This includes advising customers that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.

The 2009 policy position reflects the consensus of most privacy practitioners since PIPEDA came into effect in 2001. The new position is a complete reversal and discards the notion of “transfers” of personal information for processing:

Under PIPEDA, any collection, use or disclosure of personal information requires consent, unless an exception to the consent requirement applies. In the absence of an applicable exception, the OPC’s view is that transfers for processing, including cross border transfers, require consent as they involve the disclosure of personal information from one organization to another. Naturally, other disclosures between organizations that are not in a controller/processor relationship, including cross border disclosures, also require consent. [emphasis added]

The new position concludes that because there is nothing in PIPEDA that specifically exempts transfers from consent, transfers can be folded into the mandatory consent scheme:

While it is true that Canada does not have an adequacy regime [as in Europe] and that PIPEDA in part regulates cross border data processing through the accountability principle, nothing in PIPEDA exempts data transfers, inside or outside Canada, from consent requirements. Therefore, as a matter of law, consent is required. Our view, then, is that cross-border data flows are not only matters decided by states (trade agreements and laws) and organizations (commercial agreements); individuals ought to and do, under PIPEDA, have a say in whether their personal information will be disclosed outside Canada.

This new position, while demanding consent, brings the true nature of that consent into question. One one hand, the organization has to get consent. On the other hand, the individual can be given no meaningful choice or ability to opt-out, because the organization can say “take it or leave it”:

Organizations are free to design their operations to include flows of personal information across borders, but they must respect individuals’ right to make that choice for themselves as part of the consent process. In other words, individuals cannot dictate to an organization that it must design its operations in such a way that personal information must stay in Canada (data localisation), but organizations cannot dictate to individuals that their personal information will cross borders unless, with meaningful information, they consent to this.

There is little basis in the statute for this position reversal, and their consultation document shows some significant mental gymnastics to get where they want to go notwithstanding the actual scheme of the Act.

Because PIPEDA does not deal with crossborder transfers in any specific way, the only way for the OPC to get to the result they seek is to impose their new requirements on all transfers for processing by a third party, regardless of whether that processing involves moving the personal information outside of Canada. And to highlight the shortcomings of trying to shoehorn this principle into the existing statute, it would not affect in any way a US company that operates in Canada deciding after the fact to move data to its own US-based data centre because it would not be a disclosure or a transfer from one entity to another.

When PIPEDA was first passed and as subsequently amended, Parliament expressly excluded crossborder barriers.

Parliament had the example of the European Data Protection Directive and its adequacy mechanism, but Parliament did not follow this model at all. The only way for the OPC to get to the result it is seeking is to impose new requirements on all transfers for processing by a third party, regardless of whether that processing involves moving the personal information outside of Canada. By going after crossborder transfers -- which is ill-conceived on its own -- the OPC is proposing to break all domestic outsourcing, as well. This is a massive cost with no discernible privacy benefit.

If Parliament had intended to address crossborder data transfers, it would have done so. It can still do so. It is not the role of the Privacy Commissioner of Canada to usurp Parliament’s prerogatives in this manner.

This reimagining of PIPEDA really stretches statutory interpretation past the breaking point. It also has the effect of undermining the rule of law when an Officer of Parliament decides unilaterally to reinterpret and essentially re-write the statute presented to him by the institution to which he is accountable. This should have been a consultation that would lead to a report to Parliament, not the imposition of GDPR-envy on companies operating in Canada.

The proposal immediately garnered significant criticism. Lisa Lifshitz wrote for Canadian Lawyer Magazine:

This is problematic in several respects as this analysis flies in the face of years of guidance from the OPC and reiterated repeatedly, including in the 2012 Privacy and Outsourcing for Businesses guidance document) that a transfer for processing is a "use" of the information, not a disclosure. Assuming the information is being used for the purpose it was originally collected, additional consent for the transfer is not required; it is sufficient for organizations to be transparent about their personal information handling practices. This includes advising Canadians that their personal information may be sent to another jurisdiction for processing and that while the information is in another jurisdiction it may be accessed by the courts, law enforcement and national security authorities.

***

The OPC’s implement-first-ask-permission-later approach to changing the consent requirements for cross-border data transfers is troublesome at best and judging from initial reactions, sits uneasily with many (me included).

Likely knowing this, at the same time it released the Equifax decision the privacy commissioner also announced a “Consultation on transborder dataflows” under PIPEDA, not only for cross-border transfers between controllers and processors but for other cross border disclosures of personal information between organizations. The GDPR-style language used in this document is no accident and our regulator is seemingly trying to ensure the continued adequacy designation of PIPEDA (and continued data transfers from the EU to Canada) by adopting policy reinterpretations (and new policies) pending any actual legal reform of our law. Meanwhile, the OPC’s sudden new declaration that express consent is required if personal information will cross borders (and the related requirement that individuals must be informed of any options available to them if they do not wish to have their personal information disclosed across borders) introduces a whole new level of confusion and complexity regarding the advice that practitioners are supposed to be giving their clients pending the results of the consultations review, not to mention the potential negative business impacts (for consumers/vendors of cloud/managed services and mobile/ecommerce services, just to name a few examples) that may arise as a consequence.

Michael Geist has written about the OPC’s approach on his blog:

While the OPC position is a preliminary one – the office is accepting comments in a consultation until June 4 – there are distinct similarities with its attempt to add the right to be forgotten (the European privacy rule that allows individuals to request removal of otherwise lawful content about themselves from search results) into Canadian law. In that instance, despite the absence of a right-to-be-forgotten principle in the statute, the OPC simply ruled that it was reading in a right to de-index search results into PIPEDA (Canada’s Personal Information Protection and Electronic Documents Act). The issue is currently being challenged before the courts.

In this case, the absence of meaningful updates to Canadian privacy law for many years has led to another exceptionally aggressive interpretation of the law by the OPC, effectively seeking to update the law through interpretation rather than actual legislative reform.

The OPC is inviting comments up to June 4, 2019 and I am sure expected they’ll get an earful.

This posting is based, in part, on a summary I prepared for the Canadian Technology Law Association's newsletter.

The OPC has just posted a bit of a justification/explanation for their consultation, along with some specific questions they'd like addressed. They are specifically looking for guidance on the following:

Questions for Stakeholders

In your view, does the principle of consent apply to the transfer of personal information to a third party for processing, including transborder transfers? If not, why is the reasoning outlined above incorrect?
Does Principle 4.1.3 affect the interpretation or scope of the principle of consent? If so, what is the legal basis or grounds for this interpretation?
What should be the scope of the consent requirements in the Act in light of the objective of Part 1 of PIPEDA as set out in section 3, the new section 6.1 (and its reference to the nature, purpose and consequences of a disclosure), and the OPC’s Guidelines for obtaining meaningful consent, in force since January 1 2019? Specifically:
1. In what circumstances should consent be implicit or explicit?
2. What should be the level of detail in the information given to the person affected? Do you agree that consent should be comprised of at least the following elements: (i) the purposes for which the responsible organization seeks to use the personal information, (ii) the fact that it uses third parties for processing but that it provides for a comparable degree of protection, (iii) when the third parties are outside of Canada, the countries where the personal information will be sent, (iv) the risk that the courts, law enforcement and national security authorities in those countries may access the personal information?
3. Should the notice to the affected person name the third parties?
4. Should the notice contain other pieces of information?
Since the 2009 Guidelines already require that consumers be informed of transborder transfers of personal information, and of the risk that local authorities will have access to information (preferably at the time it is collected), at a practical level, would elevating these elements to a legal requirement for meaningful consent significantly impact organizations? If so, how?
If the elements identified in question 3(b) were required conditions for meaningful consent under a new OPC statement of principle, what steps should the OPC take to address the needs of organizations to collect, use, and disclose personal information?
What elements should be included in obtaining consent for transfers for processing that are not transborder?
Do you think the proposed interpretation of PIPEDA is consistent with Canada’s obligations under its international trade agreements? If not, why would the result be different from the current situation, where the elements identified in question 3(b) must disclosed as part of the openness principle?
Any other comments or feedback you think may be helpful.

Ontario court refuses to order accused to unlock his smartphone

2019-04-01T10:54:00.000-03:00

Not sure how I missed this one when it came out in January ...

The Ontario Court of Justice has refused to order an accused to unlock his smartphone or to provide the crown with the password for the device. In R v Shergill, 2019 ONCJ 54, the Crown made an application for a search warrant for a phone seized from the accused. The interesting part is that the Crown also sought an assistance order under s. 487.02 of the Criminal Code. Notably, the application was not made ex parte so the accused was able to make submissions.

The Crown argued that the accused's Charter rights were not engaged.

[3] The Crown says that basic principles of statutory interpretation allow for an accused to be the subject of an assistance order in relation to his or her own investigation. The Crown further submits that this request for an assistance order does not raise Charter concerns, but is instead a matter of mere practicality. The Crown’s factum focusses entirely on the principle against self-incrimination, submitting that the proposed assistance order does not engage that principle because it only compels Mr. Shergill to provide access to, and not create, material the police are judicially authorized to examine, and because any self-incrimination concerns are met by the grant of use immunity over Mr. Shergill’s knowledge of the password.

The Court decided in favour of the accused, finding that this order would engage the accused's right to silence and the protection against self-incrimination. The Court wrote:

(e) The Right to Silence

[21] In my view, the more significant principle of fundamental justice at stake is the right to silence. This right emerged as a component of the protection against self-incrimination in R. v. Hebert in which McLachlin J. (as she then was), held:

If the Charter guarantees against self-incrimination at trial are to be given their full effect, an effective right of choice as to whether to make a statement must exist at the pre-trial stage… the right to silence of a detained person under s. 7 of the Charter must be broad enough to accord to the detained person a free choice on the matter of whether to speak to the authorities or to remain silent.

McLachlin J. also reaffirmed the Court’s prior holding that the right to silence was “a well-settled principle that has for generations been part of the basic tenets of our law.”

[22] The “common theme” underlying the right to silence is “the idea that a person in the power of the state in the course of the criminal process has the right to choose whether to speak to the police or remain silent.” In tracing the history of the right, McLachlin J. referred to an “array of distinguished Canadian jurists who recognized the importance of the suspect’s freedom to choose whether to give a statement to the police or not” and described the essence of the right to silence as the “notion that the person whose freedom is placed in question by the judicial process must be given the choice of whether to speak to the authorities or not.”[21] Finally, Hebert held that s. 7 provides “a positive right to make a free choice as to whether to remain silent or speak to the authorities.”

[23] The pre-trial right to silence is a concept which, as Iacobucci held in R.J.S., has been “elevated to the status of a constitutional right.”[footnotes omitted]

The Court then discussed some of the challenges that law enforcement are facing in light of new technology and encryption in particular. Though there is always a compelling public interest in the investigation and prosecution of crimes, the final balancing came down on the side of the accused's liberty interests under s. 7 of the Charter.

[51] I accept that the current digital landscape as it relates to effective law enforcement and the protection of privacy presents many challenges. It may be that a different approach to this issue is warranted, whether through legislative initiatives or modifications to what I see as jurisprudence which is binding on me. But on my best application of controlling authority, I am simply not persuaded that the order sought can issue without fundamentally breaching Mr. Shergill’s s. 7 liberty interests, a breach which would not be in accordance with the principle of fundamental justice which says that he has the right to remain silent in the investigative context.

The search warrant was issued, but the assistance order was denied.

Privacy for start-ups and growing businesses

2019-02-19T14:15:00.000-04:00

I was invited with my colleague Sarah Anderson Dykema to present on privacy by design for start-ups at Volta Labs. Volta is Eastern Canada's innovation hub, incubating and accelerating start-ups.

The turnout was great and the presentation was well received. I promised to publish it on my blog for the attendees, and for anyone else who may find it of interest.

>

Supreme Court of Canada lays down a very nuanced, contextual understanding of "expectation of privacy"

2019-02-14T22:23:00.000-04:00

Today the Supreme Court of Canada issued a very important privacy decision in R v Jarvis. I say it’s important for a number of reasons. First, it’s an important decision that strongly defines expectation of privacy for the Canadian Criminal Code offence of voyeurism. Second, I expect it will have serious knock-on effects on considering privacy in the regulatory and common-law contexts. Finally, it will inform other instances in our Criminal Code where an expectation of privacy is relevant. The decision has a very highly nuanced and contextual test for determining where there is a reasonable expectation of privacy.

The case is largely about a teacher in a high school who used a covert, miniature camera to take videos of young women’s cleavage over more than a year. It was discovered and he was charged under the relatively new voyeurism offence in the Code. Two essential elements of the offence are that there have to be circumstances that give rise to a reasonable expectation of privacy and the recording has to be done for a sexual purpose.* In R v Jarvis, the recording took place in otherwise “public areas” of the school, so not in washrooms or changing rooms. It also has to be "surreptitious", but the observation itself was not surreptitious. What was being recorded was largely observed in real-time by the teacher. The recording was surreptitious.

The trial judge found that there was a reasonable expectation of privacy but the crown had not proven the sexual purpose beyond a reasonable doubt. It’s hard to get one’s head around that, as the teacher had many, many recordings spanning more than a year of students’ cleavage and chest areas. I’m not sure what other purpose he could have had.

The crown appealed to the Ontario Court of Appeal, which had little difficulty concluding that there was a sexual purpose but split on the reasonable expectation of privacy in a "public place" where the young women could generally be observed by teachers and other students.

On appeal to the Supreme Court of Canada, the Court found the accused to be guilty of the offence and provided a very nuanced and contextual framework for determining where and when there is a reasonable expectation of privacy. What is particularly notable for technology lawyers is the role that the covert recording device plays in this analysis. It is not simply a matter that what was recorded could have been observed with one’s bare eyes. The tech plays a role in a couple of ways. Recording is more intrusive than mere observation and awareness of (or the lack of awareness) the observation also plays an important role.

The Court provided a non-exhaustive list of nine factors that courts should consider in deciding the question:

[29] The following non-exhaustive list of considerations may assist a court in determining whether a person who was observed or recorded was in circumstances that give rise to a reasonable expectation of privacy:

(1) The location the person was in when she was observed or recorded. The fact that the location was one from which the person had sought to exclude all others, in which she felt confident that she was not being observed, or in which she expected to be observed only by a select group of people may inform whether there was a reasonable expectation of privacy in a particular case.

(2) The nature of the impugned conduct, that is, whether it consisted of observation or recording. Given that recording is more intrusive on privacy than mere observation, a person’s expectation regarding whether she will be observed may reasonably be different than her expectation regarding whether she will be recorded in any particular situation. The heightened impact of recording on privacy has been recognized by this Court in other contexts, as will be discussed further at para. 62 of these reasons.

(3) Awareness of or consent to potential observation or recording. I will discuss further how awareness of observation or recording may inform the reasonable expectation of privacy inquiry at para. 33 of these reasons.

(4) The manner in which the observation or recording was done. Relevant considerations may include whether the observation or recording was fleeting or sustained, whether it was aided or enhanced by technology and, if so, what type of technology was used. The potential impact of evolving technologies on privacy has been recognized by the courts, as I will discuss further at para. 63 of these reasons.

(5) The subject matter or content of the observation or recording. Relevant considerations may include whether the observation or recording targeted a specific person or persons, what activity the person who was observed or recorded was engaged in at the relevant time, and whether the focus of the observation or recording was on intimate parts of a person’s body. This Court has recognized, in other contexts, that the nature and quality of the information at issue are relevant to assessing reasonable expectations of privacy in that information. As I will discuss further at paras. 65-67 of these reasons, this principle is relevant in the present context as well.

(6) Any rules, regulations or policies that governed the observation or recording in question. However, formal rules, regulations or policies will not necessarily be determinative, and the weight they are to be accorded will vary with the context.

(7) The relationship between the person who was observed or recorded and the person who did the observing or recording. Relevant considerations may include whether the relationship was one of trust or authority and whether the observation or recording constituted a breach or abuse of the trust or authority that characterized the relationship. This circumstance is relevant because it would be reasonable for a person to expect that another person who is in a position of trust or authority toward her will not abuse this position by engaging in unconsented, unauthorized, unwanted or otherwise inappropriate observation or recording.

(8) The purpose for which the observation or recording was done. I will explain why this may be a relevant consideration at paras. 31-32 of these reasons.

(9) The personal attributes of the person who was observed or recorded. Considerations such as whether the person was a child or a young person may be relevant in some contexts.

[30] I emphasize that the list of considerations that can reasonably inform the inquiry into whether a person who was observed or recorded had a reasonable expectation of privacy is not exhaustive. Nor will every consideration listed above be relevant in every case. For example, recordings made using a camera hidden inside a washroom will breach reasonable expectations of privacy regardless of the purpose for which they are made, the age of the person recorded, or the relationship between the person recorded and the person who did the recording. In another context, however, these latter considerations may play a more significant role. The inquiry is a contextual one, and the question in each case is whether there was a reasonable expectation of privacy in the totality of the circumstances.

While anyone could have observed these young women in a relatively public place, what made it particularly problematic was the person who did the observing, in their position of power as a teacher, the victim of the offence, what was focused on and the manner of the observing. Not all of the factors weigh strongly in favour of a finding reasonable expectation of privacy in this case, but the vast majority of them do.

So what does this mean? I expect that we'll be able to see more charges and convictions for similar practices, including "upskirting". We'll also have to see a more nuanced discussion about what is an expectation of privacy in generally public places and I'm confident this will inform judicial decision-making in the context of the privacy torts, which largely hinge on reasonable expectations of privacy, and what it unreasonable. We'll also have to think hard about what role technology plays in privacy, particularly where CCTV cameras are said to be largely equivalent to real-time supervision by managers.

One aspect that I haven't really turned my mind to at this point is the impact of this analysis on expectations of privacy vis-a-vis the state, where section 8 of the Charter is concerned.

* There are other permutations that can give rise to the offence, which do require an expectation of privacy and are largely place-based:

Voyeurism

162 (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if

(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;

(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or

(c) the observation or recording is done for a sexual purpose.

At least in a school, subsections (a) and (b) would generally be found in washrooms and change rooms.

Presentation: Obtaining digital evidence

2018-12-08T17:53:00.001-04:00

This week, I was pleased to be asked to be on a panel with Daniela Bassan on digital evidence for the Canadian Bar Association - Nova Scotia Annual Conference. I spoke about the mechanics of trying to gather and preserve digital (mainly online) information, and Daniela spoke about the process of getting court orders to preserve and access information from third parties.

In case it's of interest, here's my presentation:

You can download a PDF version of the presentation here.

Canadian Privacy Commissioner calls for a new privacy law

2018-12-05T13:42:00.000-04:00

Canadian Privacy Commissioner, Daniel Therrien, has today released a letter written to Navdeep Singh Bains, the Minister of Innovation, Science and Economic Development, calling for a new Canadian privacy law. Such a new law must, he said, include the following aspects:

Continue to be technology neutral and principles-based, because these features enable the law to endure over time and create a level playing field, but it should mostly be drafted as a rights based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.
Maintain an important place for meaningful consent but it should also consider other ways to protect privacy where consent may not work, for instance in certain circumstances involving the development of artificial intelligence. The concept of ‘legitimate interest’ in the GDPR may provide one such alternate approach.
Empower a public authority to issue binding guidance or rules that would clarify how general principles and broadly framed rights are to apply in practice. A principles based legislation has important virtues, but it does not bring an adequate level of certainty to individuals and organizations. Binding guidance or rules would ensure a more practical understanding of what the law requires. They could also be amended more easily than legislation as technology evolves.
Confer to the OPC stronger enforcement powers, including the power to make orders and impose fines for non-compliance with the law. These powers should include the right to independently verify compliance, without grounds, to ensure organizations are truly accountable to Canadians for the protection of their personal information.
Give the OPC the ability to choose which complaints to investigate, in order to focus limited resources on issues that pose the highest risk or may have greatest impact for Canadians. At the same time, to ensure no one is left without a remedy, give individuals a private right of action for PIPEDA violations.
Allow different regulators to share information. Meaningful protection of consumers and citizens in the fast-paced digital and data-driven economy understandably must involve several regulators, and they must be able to better coordinate their work.
Finally, it is absolutely imperative for privacy laws to be applied to Canadian political parties.

The letter is here, along with a news release.

I agree wholeheartedly with the last bullet point, but I think we should hold off before revamping our privacy law. In my view, it works and it works well. The only impetus for change would be the adequacy determination from Europe, which is not scheduled until 2020. At that point, we'll have an understanding of what's necessary to maintain this important status. In the meantime, the OPC hasn't made a strong case for order making powers. We would have two choices: either create a Privacy Tribunal like the Canadian Human Rights Tribunal (which is often pointed to as a poster-child of inefficiency) or turn the Office of the Privacy Commissioner into something like the CRTC's CASL enforcement group (which has problems of overreach and a clear propensity towards zealous punishment of companies that are making a good faith effort to comply with the law).

At this stage, I haven't seen the Privacy Commissioner fully use all the tools in his toolbox. He has the ability to take a company to the Federal Court. In most of the cases he has done so (that I'm aware of), they've settled. Obviously the Commissioner would not settle a case if it was not to his satisfaction.

Presentation: Privacy 101 for Psychologists

2018-09-28T16:21:00.002-03:00

I was invited to present at an professional development event by the Association of Psychologists of Nova Scotia, on the topic of Privacy 101. In case it's of use to others, here's my slide deck:

The value of legal privilege: Your diligent privacy consultant may become your worst enemy

2018-09-22T20:04:00.000-03:00

A diligent privacy consultant will do a thorough privacy impact assessment, a threat risk assessment or a gap analysis. They'll take a thorough look at your current practices and benchmark them against not just your competitors but against best practices. Most companies will fall short in one way or another, and many will decide to only address 70% of the risks identified. But what about the other 30%? If you're later sued, your consultant's report will suggest to a judge or a jury that you decided not to get your house in order. What might have been negligence can quickly become recklessness.

The reality is that nothing that a consulant produces for you -- unless they are properly teamed with legal counsel -- will be privileged. I've seen loads of consultants who mark their reports as privileged, but a legend on a document will never stand up in court.

I'm involved with a class action lawsuit where the defendant had, on multiple occasions, brought in a privacy consultant to advise on a range of matters. As a diligent consultant should, they identified a number of problems with processes, practices and policies. They almost called the situation a dumpster fire. The organization sought to address most of these, but they didn't focus on all of them. When a huge breach happened and a huge class action lawsuit followed, the breach could be easily attributed to one of the areas where insufficient remediation took place. They went from being careless to being reckless. And the consultant's report will be Exhibit A in the lawsuit.

Even the most diligent organization, when it takes a microscope to its practices, will discover problems. Unless you're going to address every single shortcoming, you need to be aware of what you might discover. And what you discover may be handed on a silver platter to the plaintiffs.

In the case I'm referring to, if this report had been prepared by legal counsel--focusing on advising the organization about its actual legal risk rather than benchmarking against nebulous best practices--it never would become Exhibit A in the class action.

In this age of breach notification, when class actions will inevitably follow notifications, you need to make sure that you know your risks so you can address the most serious of them. And you need to make sure that these reports are truly seeking legal advice and will never see the light of day.

With many of my clients, we've been harnessing the capabilities of privacy consultants while structuring the engagement to make sure that all the findings are shielded from litigation discovery.

If you hire consultants, think about what might happen after a breach and you have to hand them over to plaintiffs' counsel. That can be addressed right now and you should think about it.

AtlSecCon Presentation: Canada's new data breach notification regime

2018-04-26T14:47:00.000-03:00

I had the pleasure of giving a presentation to the Atlantic Security Conference this afternoon on Canada's new data breach notification regime, which is coming into effect on November 1, 2018. It's posted below in case it's of interest to a wider audience.

Presentation: Privacy and privilege at the Canadian border

2018-03-16T22:22:00.001-03:00

The Canadian Bar Association's British Columbia Privacy and Access Law Section and the Immigration Section kindly invited me to Vancouver this past week to give a presentation on the topic of privacy and privilege at the border. Much of this was based on my advocacy work with the CBA in presenting on the topic to the Parliamentary Standing Committee on Privacy, Access to Information and Ethics and pro bono work for the Canadian Civil Liberties Association as an amicus.

In case it's of interest, here's my presentation:

One thing that I did emphasise, which I'll do again here, is that the Canada Border Services Agency takes the view what they can search all digital information that crosses the border. I am of the view that this is legally incorrect, so asserting your rights will likely result in being charged for obstruction of a CBSA officer.

Privacy Commissioner thinks there's a right to be forgotten in Canada

2018-01-26T11:51:00.000-04:00

The Office of the Privacy Commissioner of Canada just released a news release, another notice of consultation and a draft position paper on "online reputation".

Online reputation is the nice way of saying "right to be forgotten" or "right to erasure". And the OPC's draft position is that such a right exists under PIPEDA and involves manadatory "de-indexing of search results".

I'm just digesting it all, but my preliminary view is that it is incorrect and constitutionally untenable. You can see my submission on the earlier consultation here: You'd better forget the right to be forgotten in Canada.

Here's the OPC's press release on this latest development:

Improvements needed to protect online reputation, Privacy Commissioner says

New report sets out recourses such as the right to ask search engines to de-index web pages and takedown of online information; emphasizes the need for education

GATINEAU, QC, January 26, 2018 – Canadians need better tools to help them to protect their online reputation, says a new report by the Office of the Privacy Commissioner of Canada.

The report highlights measures such as the right to ask search engines to de-index web pages that contain inaccurate, incomplete or outdated information; removal or amendment of information at the source; and education to help develop responsible, informed online citizens.

“There is little more precious than our reputation. But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes. Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove,” says Privacy Commissioner Daniel Therrien.

“Canadians have told us they are concerned about these growing risks to their reputation. We want to provide people with greater control to protect themselves from these reputational risks. Ultimately, the objective is to create an environment where people can use the Internet to explore and develop without fear their digital traces will lead to unfair treatment. ”

The Office of the Privacy Commissioner of Canada’s draft Position on Online Reputation aims to highlight existing protections in Canada’s federal private sector privacy law, identify potential legislative changes and propose other solutions for consideration.

The report follows a consultation process aimed at identifying new and innovative ways to protect reputational privacy, a key OPC priority. A discussion paper and call for essays resulted in 28 submissions from stakeholders which helped inform this report.

With respect to existing protections, the report notes that the federal private sector privacy law provides for a right to de-indexing – which removes links from search results without deleting the content itself – under certain circumstances and upon request.

Canadians should also be permitted to easily delete information they’ve posted about themselves on a commercial forum, for instance a social media site. In cases where others have posted information about an individual, they have a right to challenge and seek amendment to demonstrably illegal, inaccurate, incomplete and out of date information, the report says.

All of these considerations need to be balanced with other important values such as freedom of expression and public interest.

For their part, search engines and websites have an obligation to assess requests from individuals for information to be de-indexed or taken down and are generally equipped to do so through existing customer complaints channels. If a matter cannot be resolved, individuals have a right to complain to the Office of the Privacy Commissioner of Canada.

“While it’s important to take action on de-indexing, we are also recommending that Parliament undertake a study of this issue. Elected officials should confirm the right balance between privacy and freedom of expression in our democratic society,” says Commissioner Therrien.

There are a number of circumstances which could potentially be the subjects of de-indexing or takedown requests. For example, an adult may feel their reputation is harmed by controversial views they held as a teenager and posted online. Other examples could include defamatory content in a blog; photos of a minor that later cause reputational harm; intimate photos; or online information about someone’s religion, mental health or other highly sensitive information.

While the combination of the ability to request de-indexing and source takedown of information shares similarities with the Right to Erasure (Right to be Forgotten) in Europe, the report does not seek to import a European framework into Canada. Rather, it is an interpretation of current Canadian law, and the remedies related to online reputation that can be found within the existing law.

The report also emphasizes the importance of privacy education.

Along with its provincial and territorial counterparts, the OPC has sent a joint letter to the Canadian Council of Ministers of Education calling for privacy protection to be incorporated into curriculum for digital education across the country.

“We want young Canadians to develop into good online citizens,” Commissioner Therrien says. “Youth need the technical knowledge to protect themselves, along with a strong understanding of how to act responsibly online and why it’s important.”

The report is also calling on Parliament to establish a stronger ability for youth to request and obtain the deletion of information they themselves have posted on social media, and in appropriate cases, information posted about them online by their parents or guardians when they reach the age of majority.

Other proposed solutions focus on educating all Canadians about available mechanisms to control reputation, such as through website privacy settings, and other emerging privacy enhancing technologies. The OPC has also committed to proactively addressing systemic or sector-wide problems related to online reputation, for instance, where vulnerable groups are concerned, and to encouraging research, development and adoption of new solutions for protecting online information, in part through its Contributions Program.

After consulting with stakeholders on the proposals outlined in its draft position paper, the OPC will finalize its position and develop an action plan to put the new measures into practice.

Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company

2018-01-12T12:09:00.001-04:00

The British Columbia Court of Appeal has whipped the door open for the greater use of production orders requiring non-Canadian companies to provide user information. Here's the summary I prepared for my firm (also available here):

The Legal Reality: Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company in British Columbia (Attorney General) v. Brecknell

January 12, 2018

By David Fraser, at McInnes Cooper

Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to produce any of its records has, to date, depended on the province in which police seek it. Some courts refuse an order where the company is wholly outside of Canada; some require an address in Canada for service to grant the order; and others grant the order, apparently unconcerned about the company’s Canadian “presence”. That could however change with the B.C. Court of Appeal’s January 9, 2018, decision in British Columbia (Attorney General) v. Brecknell. The Court’s decision that Craigslist is “present” in B.C. and can be subject to a Criminal Code production order issued from its provincial court might lead to greater national uniformity – and more exposure to foreign companies doing only virtual business in Canada:

The Legal Trend. The decision lines up with the Supreme Court of Canada’s increasing awareness of the Internet’s inherently global nature, willingness to take jurisdiction in cases that cross borders, and readiness to apply existing legal principles to online business – all as illustrated in the Court’s June 2017 decisions in Google Inc. v. Equustek Solutions Inc. and Douez v. Facebook, Inc. There’s every reason to believe this trend is here to stay – and foreign companies doing business in Canada, even if only virtually, should be prepared for the increased legal exposure it entails.

Broader Implications. The Court’s conclusion that the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference could carry implications far beyond the availability of production orders. Whether its reasoning vis-a-vis an internet-based company’s “presence” in Canada will have application to, for example, tax laws, remains to be seen.

More Production Orders & More Content. Non-Canadian companies will likely see more production orders from Canadian courts. Canadian courts will more willingly assume jurisdiction over companies where the only contacts with Canada are virtual (i.e. over the internet), and more readily available to police to obtain production orders against such companies – no matter where they are “physically” present. And this route is much preferred by police compared to proceeding under mutual legal assistance procedures. In addition to more Canadian production orders against internet companies, more of those orders will likely be for “content”, not just identifying information and metadata. And this decision will likely lead Canadian police to conclude that compliance is no longer a question of voluntariness: many internet companies “voluntarily” comply with Canadian orders for non-content data but require Mutual Legal Assistance Treaties (MLAT) processes for content such as email and other communications.

In 2016, the Royal Canadian Mounted Police (R.C.M.P.) applied to the B.C. Provincial Court for a production order requiring Craigslist to produce certain information about one of its users. In particular, R.C.M.P. sought the user’s name or physical address, its email address, the IP address assigned to the user when the post was created, the phone numbers used to verify the user account, the dates and times the post was created post and the record of the posting. The court refused on the basis Craigslist had only a “virtual presence in B.C.” The R.C.M.P. appealed and on January 9, 2018, the B.C. Court of Appeal agreed: Craigslist is “present” in the province of B.C. and police can obtain a production order naming it, even though it has no “physical” presence in Canada or an address in Canada to effect service:

Virtual Presence = Physical Presence. Under Canadian law, a Canadian court has jurisdiction where there is a “real and substantial connection” between Canada (or a Canadian province) and the activity in issue. There’s no “bright line” rule, but courts have consistently decided that actively doing business over the internet with residents of a particular Canadian province is enough to create that connection. This in turn gives the court jurisdiction over the specific subject matter and parties (a.k.a “in personam” jurisdiction), a proposition about which the Supreme Court of Canada most recently pronounced in its June 2017 decision in Google v. Equustek Solutions Inc. Here, the Court of Appeal interpreted the Criminal Code provisions as limiting courts’ ability to issue a production order “…only against a person in Canada”, making the question whether Craigslist – a U.S. company with no physical presence in Canada – is “a person in Canada” for this purpose. The Court concluded the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference (at para. 40):

“… [I]n the Internet era it is formalistic and artificial to draw a distinction between physical and virtual presence. Corporate persons … can exist in more than one place at the same time. … I do not think anything turns on whether the corporate person in the jurisdiction has a physical or only a virtual presence. To draw on and rely on such a distinction would defeat the purpose of the legislation and ignore the realities of modern day electronic commerce…”

The Test is Canadian Presence – not Canadian Possession. The Court was clear that the test for a production order is only the presence of the recipient – and not the information sought to be produced – in Canada. Once the Court of Appeal concluded Craigslist was “a person in Canada”, the test was met (at para. 39):

“In the first instance, the [Criminal Code] section, properly interpreted, stipulates only that the person subject to the order must be a person in the jurisdiction. In my view, Craigslist is such a person. Second, the person must be a person who has possession or control of a document. The section says nothing expressly about where that possession or control exists. Indeed, it may not even be sensible to pose the question in terms of the location of control. A person either does or does not have possession of a document. The question is one of control, not where the control is exercised. In this case, Craigslist has possession or control of the relevant records and the provision requires nothing further. In other words, there is nothing in the section that requires the person in the jurisdiction to be a custodian of the documents in the jurisdiction. In my view, it is sufficient that the person is present within the jurisdiction. I do not think that there is anything extraterritorial in such an interpretation. To conclude that Craigslist is a person within the jurisdiction who has possession or control of documents does not give the section an impermissibly extraterritorial interpretation.”

No Other Barriers. The Court of Appeal rejected the argument that a production order against a foreign company effectively intrudes into another country’s sovereignty, essentially deputizing a non-Canadian company to carry out a search in a foreign country that Canadian police could never carry out themselves. The Court concluded the weight of U.S. legal authority doesn’t treat subpoenas in this manner, noting it appears instead to recognize the U.S. validity of subpoenas directed to persons in the U.S. over whom there is personal jurisdiction to disclose documents in the U.S. even where they must be obtained from outside the U.S. The Court also considered – and rejected – the arguments that enforcement difficulties or the existence of Mutual Legal Assistance Treaties (MLAT) militate against the use of production orders in cases like this.

Federal Court of Appeal: Past privacy consent does not prevent new means of handling and distributing personal information

2017-12-02T09:13:00.002-04:00

The Federal Court of Appeal released its long-awaited decision in Toronto Real Estate Board v Commissioner of Competition on Friday, December 1, 2017. The decision is a statutory appeal and is the latest chapter in a very long saga in which the Competition Bureau has accused Canada's largest real estate board of acting in an anti-competitive manner to prevent new forms of competition in the real estate market.

The Canada Real Estate Board (CREA), and its members such as the Toronto Real Estate Board (TREB) own and operate the Canadian Multiple Listing Service (which is the backbone of realtor.ca). A lot of information about current properties on the market is available on the site and realtors have access to a much wider range of information, including historical sales and listing information that is essential to carrying out market analyses for buyers and sellers.

The main issue is that TREB has not permitted innovative forms of real estate sales, such as online, using this much richer information. And privacy was one of the reasons TREB pointed to in order to justify its practices:

[2] TREB maintains a database of information on current and previously available property listings in the GTA. TREB makes some of this information available to its members via an electronic data feed, which its members can then use to populate their websites. However, some data available in the database is not distributed via the data feed, and can only be viewed and distributed through more traditional channels. The Commissioner of Competition says this disadvantages innovative brokers who would prefer to establish virtual offices, resulting in a substantial prevention or lessening of competition in violation of subsection 79(1) of the Competition Act, R.S.C. 1985, c. C-34 (Competition Act). TREB says that the restrictions do not have the effect of substantially preventing or lessening competition. Furthermore, TREB claims the restrictions are due to privacy concerns and that its brokers’ clients have not consented to such disclosure of their information. TREB also claims a copyright interest in the database it has compiled, and that under subsection 79(5) of the Competition Act, the assertion of an intellectual property right cannot be an anti-competitive act.

Focusing on the privacy argument, TREB essentially argued that people who consented to having their information made available when they hired a realtor, really only consented to having it made available through traditional channels and not published online. The Tribunal below was of the view that TREB's privacy arguments were pretty flimsy and one gets the sense that it was really a pretext to justify their way of doing things.

[131] In considering privacy as a business justification under paragraph 79(1)(b), the Tribunal found that the “principal motivation in implementing the VOW Restrictions was to insulate its members from the disruptive competition that [motivated] Internet-based brokerages”. It concluded that there was little evidentiary support for the contention that the restrictions were motivated by privacy concerns of TREB’s clients. The Tribunal also found scant evidence that, in the development of the VOW Policy, the VOW committee had considered, been motivated by, or acted upon privacy considerations (TR at para. 321). The privacy concerns were “an afterthought and continue to be a pretext for TREB’s adoption and maintenance of the VOW Restrictions” (TR at para. 390).

TREB argued that nobody consented to having this information disseminated via the internet or "virtual office websites" (VOWs), so new consent would be required to do so. Absent new consent, this information cannot be disseminated online:

[160] While the Listing Agreement used by TREB provides consent to some uses of personal information, TREB asserts that had the Tribunal examined it more closely, it would have found that the Listing Agreement did not provide sufficiently specific wording to permit disclosure of personal information in the VOW data feed. Specifically, TREB contends that the consents do not permit the distribution of the data over the internet, and that is qualitatively different from the distribution of the same information by person, fax, or email.

The Commissioner argued that consent for PIPEDA purposes is to the "purposes" proposed for the collection, use and disclosure of personal information, and not the means by which it would be disseminated. The Court of Appeal agreed:

[164] The wording in the Listing Agreements from 2003 onwards is substantially similar to that quoted above. However, the phrase “during the term of the listing and thereafter” (underlined above), first appears in 2012. The Use and Distribution of Information clause in the Listing Agreement is broad and unrestricted. Sellers are informed that their data could be used for several purposes: for distribution in the database to market their house; to compile, retain, and publish statistics; for use as part of comparative market analysis; and any other use in connection with the listing, marketing, and selling of real estate. Nothing in the text implies the data would only be used during the time the listing is active. Indeed, the use of data for historical statistics of selling prices necessitates that the data will be kept. The Tribunal noted that TREB’s policies 102 and 103 add that, apart from inaccurate data, “[n]o other changes will be made in the historical data” (TR at para. 401). We note as well that clause 11 of the Listing Agreement allows for the property to be marketed “using any medium, including the internet”.

[165] PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose–the purpose remains to provide residential real estate services and the Use and Distribution of Information clause contemplates the uses in question. The argument that the consents were insufficient−because they did not contemplate use of the internet in the manner targeted by the VOW Policy−does not accord with the unequivocal language of the consent.

Why is this important? Because it is clear that though technology may shift and putting services online may change the extent of the distribution of information and the possible uses of the information by someone who accesses it, the key to obtaining consent is to clearly articulate the purposes of the collection. The stated purposes are what dictate how the information can be used, but do not dictate the means of dissemination.