Canadian Privacy Law Blog

PIPEDA: Canadian Privacy Law 101 - a primer on the privacy law that regulates businesses in Canada

2026-03-04T09:25:00.001-04:00

An overview of privacy law that regulates private sector businesses in Canada (or those outside of the country who deal with personal information of Canadians): the Personal Information Protection and Electronic Documents Act (PIPEDA).

Introduction

Today I'm going to be talking about Canadian privacy law—a bit of a primer on the subject that will hopefully be useful for a range of folks.

This is intended to be general information, an overview, and a primer. This is a complicated area of the law, and it's one that is changing regularly and one that is really primed to change again in a significant way.

Look at the date on this; the information may become out of date relatively quickly. We expect that there will be a new bill presented in Parliament to completely replace our current federal privacy law. So you might ask “why do an overview of a law that’s on its way out?” Well, even if we do get a new privacy bill in the spring of 2026 and it passes, I expect it’ll be years before it is fully implemented.

And any new law will likely be very similar, a least in many significant ways.

So, what I'm going to talk about is why Canada has so many privacy laws to begin with. Then I'm going to focus specifically on Canada's federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Within that, I'm going to talk about some key concepts that are contained in the legislation. I'll talk about the 10 principles that PIPEDA, the federal privacy law, includes. I'm going to talk about how the legislation is enforced, and then I'm going to finally talk about data breach notification as it exists in the Personal Information Protection and Electronic Documents Act. Throughout, I’ll touch on some of the similarities and differences between our various privacy laws.

The Canadian Privacy Landscape

So, what's the current privacy law landscape in Canada? Well, we have a mosaic of privacy laws, or you could even say we have a mess of privacy laws. Canada is a federal country, and unfortunately, I’ll have to talk a bit about federalism.

But across the country from coast to coast to coast, pretty well all government activity is subject to one form of privacy law or another. All private businesses operating in Canada are subject to a variety of privacy laws. The healthcare sector is subject to privacy laws in varying ways in different provinces. And the private sector workplace is really not subject to much regulation other than what's called a federal work undertaking (your business within federal jurisdiction) or private sector workplaces in British Columbia, Alberta, and Quebec.

Canada is a federal country. We have a federal government, and we have provinces and we have territories. And the Canadian Constitution gives certain jurisdictions, or certain forms of jurisdictions, certain powers. So it's divided between the federal government and the provinces. The territories are within federal jurisdiction.

Within our constitution, provinces have exclusive jurisdiction to legislate over what's called "property and civil rights," and this generally includes privacy. And so the provincial governments have exclusive jurisdiction over privacy when it's a matter of property or civil rights. The federal government has jurisdiction over something called "general trade and commerce," which is actually less general than you might think it is. And the federal parliament also has jurisdiction over federal works, undertakings, or businesses. Those are telecommunications companies, federally chartered banks, airlines, inter-provincial works, and things like that.

Only the provinces can pass “true” privacy laws, but the federal government can regulate how businesses manage personal information. So what we end up with is overlapping or potentially overlapping jurisdiction for privacy.

In Canada, we don't have federal supremacy where the existence of a federal law will automatically override a similar or identical provincial law. So we have a situation where the federal government has jurisdiction over certain things, and privacy can be characterized as a matter of regulating the general trade and commerce in Canada, and provinces have jurisdiction over privacy as a matter of property and civil rights. And so the two have to find a way to co-exist. It's not that elegant, but generally, it works in Canada.

Each provincial and federal government can clearly regulate themselves—there's no doubt about that under the Canadian Constitution. And the provincial public sector also includes what we sometimes call the MUSH sector: Municipalities, Universities, Schools, and Hospitals. So provincial and federal governments and their Crown corporations, for example, and their agencies are subject to federal or provincial public sector privacy laws.

Some provinces have specific statutes for the health sector, and I'm not going to get into that too much.

At least in the private sector, we have a possibility of overlapping and contradictory jurisdiction since the provinces can regulate privacy as a matter of civil rights, and the federal government can regulate how businesses collect, use and disclose personal information. When the federal Personal Information Protection and Electronic Documents Act was passed, only one province – Quebec – already had a private sector privacy law. Quebec is very protective of its jurisdiction, so to try to avoid fights, the federal parliament built in a mechanism by which the federal government could cede jurisdiction for privacy in a province that has a substantially similar law.

Currently, Quebec, Alberta and British Columbia have general private sector privacy laws that are deemed to be substantially similar, so the federal law does not apply in those provinces where the provincial law applies. The same has been done for a number of health privacy laws, like the ones in Ontario, Nova Scotia, New Brunswick, Prince Edward Island, and Newfoundland and Labrador.

Development of PIPEDA and the CSA Model Code

Though we could have just looked at the European Data Protection Directive that was enacted in 1995, Canada did its own "made in Canada" solution. In the 1990s, the Canadian Standards Association (CSA), which sets standards for electrical devices and business processes, did a very broad consultation and came up with what was intended to be a self-regulatory code for privacy in Canada. It’s called the Canadian Standards Association Model Code for the Protection of Personal Information. This was adopted in 1996 as a national standard of Canada.

Importantly, it was developed with a wide range of consultations across a large number of industries. There was also general consensus that it was pretty good. If you have an international background in privacy, you'll see that it has a significant kind of overlap and echoes of the OECD guidelines from the Organization for Economic Cooperation and Development. Now the OECD guidelines have eight guidelines; the CSA model code has 10 general principles. I'm going to go through each of those 10 principles and talk about how they're implemented within Canada.

So how was PIPEDA developed? In the 1990s, when the government of Canada wanted to use the general trade and commerce power to implement a privacy law. Rather than coming up with one from scratch or poaching the European Data Protection Directive, the then federal government just decided to implement the CSA model code. We have this great code, there’s a lot of consensus around it and we want to come with a privacy law. Why look further afield?

And so PIPEDA is an unusual statute in a bunch of ways. It has two parts: one part related to personal information protection, the second part related to electronic documents. Essentially, the “Personal Information Protection Act” and the “Electronic Documents Act”, but they jammed them both into one Act. Part one covers privacy, but they slapped the CAS Model Code for the Protection of Personal Information onto the back of it, and says that those organizations that are subject to these rules have to follow the CSA model code.

Now there are quite a few exceptions. The legislation has also been updated a couple of times. The most significant revamp was with the Digital Privacy Act a number of years ago, which put in place data breach notification requirements that I'm going to talk about later on, and also implemented an exception to the consent rule related to certain kinds of business transactions.

Now PIPEDA was designed to be adequate for the purposes of the European Data Protection Directive for cross-border data transfers out of Europe. Even though PIPEDA is really, really old, its adequacy was just renewed in January of 2024.

Key Concepts: Commercial Activity and Personal Information

So how does PIPEDA work? What organizations and activities does it apply to?

A key concept that one needs to understand in order to understand PIPEDA and how it works is the concept of "commercial activity". PIPEDA is based on the general trade and commerce power that the federal government has over within the Canadian Constitution. And PIPEDA was designed to go as far as federal jurisdiction would permit it to do. So PIPEDA applies to the collection, use, and disclosure of personal information in the course of commercial activity. It also applies to workplaces and employee personal information but only for federal works, undertakings, and businesses. Those are the kinds of enterprises that are within exclusive federal jurisdiction. (Think airlines, federally chartered banks, telecommunications and the like.)

We also have to talk about a key concept called "personal information". The statute is all about personal information. If you're not talking about personal information, this statute does not regulate it. And personal information, in short, means any information about an identifiable individual, excluding certain business contact information when that business contact information is used to contact an individual in their business role. But it's a very broad definition, so it's any information related to an identifiable individual. So if you can identify the individual from that information, it is going to be personal information.

If it's reasonable that you could identify an individual from that information, or you could correlate that information to an individual, it will also be considered to be personal information. And so that clearly includes somebody's name, their address, their income, health information, demographics, Social Insurance Number, their image, their photograph, biometrics, and things like that. So it's quite a broad definition. If information is adequately anonymized so there's no reasonable possibility of connecting it to an individual, then it would be out of scope of the legislation and the law would not apply to it.

Now an important thing—and this mainly comes up with dealing with American companies and American lawyers—is that whether information is personal information and therefore subject to regulation doesn't matter whether it's "private" information. It doesn't matter whether that information is publicly known or publicly shared. It really has nothing to do with your expectation of privacy in that information. If it is information about an identifiable individual, it is in scope of the legislation and regulated. There may be some consent exceptions related to publicly available information, but those actually seldom come into play because they’re so narrowly tailored.

PIPEDA also has a baseline "reasonableness" requirement. So an organization can only collect, use, or disclose personal information for purposes that a reasonable person would consider are appropriate in the circumstances. And that’s regardless of whether there’s consent.

This provision was seldom used until recent Privacy Commissioners started to look more closely at whether or not the purposes for which certain businesses collect, use, or disclose personal information are reasonable. They sometimes call these “no go zones”. Again, if the purposes are not reasonable, it does not matter whether you have the individual's consent; this is an absolute kind of guardrail sort of provision. Now of course, what is reasonable in the circumstances could differ significantly from one person's point of view to another, and I draw the line in a different place than the Commissioner often does, but this has to be understood as a baseline principle.

The 10 Principles of the CSA Model Code

Recall that the law essentially says: “Behold the CSA Model Code! If you’re engaged in commercial activity, thou shalt follow it!”

Now all 10 principles can be found to greater or lesser degrees in all privacy laws in Canada. Also in the Privacy Act, which regulates the federal government and its agencies. So the CSA model code has 10 principles, and I'm going to walk through all 10 and talk about how they are implemented within the Canadian PIPEDA framework.

Principle 1: Accountability

The first principle is called accountability.

This says an organization is responsible for personal information under its control and has to designate an individual or individuals who are accountable for the organization's compliance with the 10 principles of the CSA model code. That doesn't mean that that individual or those individuals are personally liable. They’re not the folks who get arrested by the privacy cops in dawn raids.

But what it means is that an organization has to appoint a privacy officer. There has to be somebody or a group of somebodies who are responsible within the organization for making sure that these rules are followed, so there's internal accountability. The Code doesn’t say they have to have a particular title, but they’re generally also the privacy spokesperson for the organization, the liaison for customers, and the person who deals with our privacy regulators if necessary.

What it also means is that the organization remains accountable for personal information that it has collected, used, or disclosed, even if it transfers that information to another party to handle it on its behalf.

This is similar to the notion of "controllers" and "processors" in Europe. We do not use the exact same language, but the principle is applicable. If you are the organization that is facing the customer and you have collected personal information from that customer for your purposes, and then you give it to a contractor to manage on your behalf, the first organization remains legally responsible for it and has to make sure that there are contracts in place with their service providers so that the contractors will handle it only on their behalf and will do all the necessary things to remain compliant with the law.

If the contractor screws up, the responsibility remains with the original organization. You can’t contract out of ultimate responsibility under Canadian privacy law.

There is a very important distinction between a "transfer" and a "disclosure". An organization can transfer personal information to a contractor without consent where the contractor is only going to use it as a processor on behalf of the original organization. If it is shared with another organization so that the recipient organization can use it for their own purposes, then that’s a disclosure. A disclosure requires consent, and the company that gets the personal information becomes legally responsible for managing it and protecting it.

Principle 2: Identifying Purposes

The second principle is called identifying purposes. I think this is one of the most important of the ten principles.

The CSA model code says the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. This has two parts:

(1) the organization has to identify – and hopefully document – what it proposes to do with the personal information; and
(2) the organization has to communicate those purposes to the individual before it collects their personal information.

And it really should be noted that privacy policies seldom satisfy this requirement. Because the purposes have to be identified to the individual at or before the time the information is collected, just having a privacy policy on your website does not provide any assurance that the customer or the individual has read, understands, or knows what those purposes are.

One exception may be, for example, on account creation where an individual is required to flip through the privacy statement prior to creating an account and then clicks "I agree".

So what this means in practice is that every organization has to document internally what are all the purposes for which they collect, use, or disclose personal information. Those documented purposes have to be communicated to the individual at or before the time the personal information is collected. Now that can be done orally or it can be done in writing, but the important thing is that it has to be done.

And employees who collect personal information on behalf of a company need to be able to explain the purposes to individuals. This information needs to be provided in a manner that you could have some reasonable confidence that they understand what those purposes are, they understand what it is that they're agreeing to.

Principle 3: Consent

Principle 2 is linked very closely with Principle 3. Principle 3 is the consent principle, and this says the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Now notice that I've struck that out—"except where inappropriate" no longer applies. The only exceptions to the consent rule are contained in the statute itself in Section 7.

That may have made some sense when the CSA Model Code was designed to be a voluntary code and the organization could determine when it was not appropriate. But under PIPEDA, organizations don't get to choose whether or not it's inappropriate to seek consent. Consent is the only basis upon which personal information is collected, used, or disclosed, unless those exceptions apply. And those exceptions are significant outliers.

So unlike in Europe where there are other grounds for processing personal information in the private sector, consent is the principle that is at play in Canada.

This consent has to be informed consent; that’s why Principle 2 (identifying purposes) is so important. The individual has to be told at or before the time the information is collected what the purposes are for the collection, use, or disclosure of personal information. And those “purposes” are the parameters for the consent obtained.

The principle also says that the form of the consent is going to be dependent upon the sensitivity of the information. So the more sensitive the information, the greater the burden of consent. Expectations also come into play. If the consumer expects you to use it for the obvious purposes, consent can be implied.

So you can have opt-out consent where the information is really not sensitive. Opt-in consent would be preferred in most cases. If you're dealing with sensitive information—health information, information about somebody's intimate life or family life or things like that—you would want to make sure that they expressly agree that their information can be collected, used, or disclosed for that purpose.

Written consent should be used in a range of cases, particularly where you’re going to want a record of the consent and a clear record of what was consented to.

This principle also says you cannot require that an individual consent to a collection, use, or disclosure of personal information that's not necessary to fulfill the explicitly stated and legitimate purposes.

Individuals can withdraw consent. This is similar to the European "right of erasure" but not identical. So an individual can withdraw consent at any time, but the organization has the obligation of telling the individual what are the consequences of that withdrawal of consent. For example, the organization might not be able to provide services to the individual if the individual does not consent to the collection, use, and disclosure of personal information that's necessary for the provision of those services.

And the consent of an individual is only valid if it is reasonable to expect that the individual would understand the nature, purposes, and consequences of the collection, use, or disclosure of the personal information to which they're consenting. This highlights the importance of being clear to the individual what those purposes are and having confidence that the individual does in fact understand what those purposes are.

Principle 4: Limiting Collection

Principle 4 is closely aligned with Principle 5, and both of them link back to Principle 2 of identifying the purposes. So Principle 4 says the collection of personal information shall be limited by that which is necessary for the purposes identified by the organization.

So you can only collect personal information that's reasonably necessary for the purposes that you've identified. You cannot collect any more personal information if it's not reasonably necessary for those purposes. And information shall be collected by fair and lawful means, so no use of deceit or trickery or anything else like that.

Note again, this loops back to the purposes identified in Principle 2. Those purposes set the guardrails.

Principle 5: Limiting Use, Disclosure, and Retention

And then Principle 5 leads us to: “you can only use personal information or disclose personal information for the purposes that have been identified.” Again, so much of this comes back to clearly identifying the purposes to the individual. And those purposes create significant guardrails around that information. That information cannot be used for any other purpose unless you go back to the individual, you identify the new purposes, and you get new consent for that.

There's also a requirement to limit the retention of personal information. Personal information shall only be retained as long as is necessary for the fulfillment of those purposes. So the organization needs to clearly document what the purposes are and what the lifecycle of the data is.

The law doesn’t specifically say you need a written document retention plan, but you really should have one. When it is no longer necessary for the purposes that are identified, that information has to be destroyed. Notably, it also says it can be made anonymous; if it's made anonymous, then it's no longer personal information and no longer subject to the legislation.

Principle 6: Accuracy

Principle 6 is the accuracy principle, and this says that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. And so again, it ties back to the purposes that have been identified to the individual.

This principle really only comes into play when personal information is used to make a decision about somebody. And so an organization needs to make sure that the information is as accurate as it needs to be for those purposes, probably taking into account what are the consequences of that decision to the individual. But information should not routinely be updated "just because".

Principle 7: Safeguards

Principle 7 is a key principle, it's entitled "Safeguards". Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. And it goes on to say that personal information must be protected from many threats: loss, theft, unauthorized access, unauthorized disclosure, copying, use, modification. And this obligation exists regardless of the format in which it is held.

Now you'll note that this is principles-based. This requires an organization to use safeguards that are reasonable and appropriate in light of the sensitivity of the information. So we don't have prescriptive rules that say this sort of information must be encrypted or this sort of information must be kept under lock and key.

This is designed to be technologically neutral and so that it would survive over time. So this was written in the late 1990s, became law in 2001, and so what are “reasonable safeguards” now would differ substantially from what would be reasonable safeguards in 2001. It's intended to be flexible and fluid.

What I generally tell my clients is that you need to implement at least the "state of the art" of security safeguards that are prevalent in your industry—not just in Canada, but also look internationally. And try to do one better than that.

This doesn't require a standard of perfection. The safeguards need to be reasonable and appropriate in the circumstances. A company is NOT expected to spend a million dollars to protect a hundred dollars worth of personal information. And as information technology systems get more complicated, safeguarding that information gets more complicated and more difficult.

Principle 8: Openness

Principle 8 is called openness. An organization shall make readily available to individuals specific information about its policies and practices related to its management of personal information. So this essentially means the organization has to have a privacy policy. The privacy policy is not about identifying the purposes in order to get consent; the privacy policy is in order for the organization to be open and transparent.

That privacy policy has to have contact information for the privacy officer—doesn't have to name them, but has to have the contact information. It has to tell the individual how they can exercise their access rights.

It has to educate the individual with the general account of what personal information the organization routinely collects, uses, and discloses, and how it is used. This can be done through brochures or through the website or other things like that. And the organization also has to let the consumer know what personal information is made available to related organizations.

The Privacy Commissioner Canada has also said the privacy statement should include information about what personal information may be stored outside of Canada, transferred outside of Canada, or accessed from outside of Canada. That is not in the statute, but that certainly is a best practice. The Alberta and Quebec privacy laws make those disclosures mandatory.

Principle 9: Individual Access

Principle 9 is individual access. So upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. In that process, an individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. So this is a data subject access right. The organization has to respond within 30 days.

And the organization needs to let the individual know to whom their information may have been disclosed. So organizations effectively have to keep a record of how they use personal information and to whom it's been disclosed.

This access should be at minimal or at no charge, and the information provided needs to be comprehensible to the individual, so abbreviations and technical terms may need to be explained.

There are some limitations and some exceptions to this access right, such as confidential business information, third party personal information and information that is privileged.

What is interesting is that this right is not exercised as often as you think it might be in Canada.

Principle 10: Challenging Compliance

The final principle is called challenging compliance. And this says an individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals who are accountable for the organization's compliance.

This is just common sense. The organization will want to hear complaints first before the individual goes to the regulator. The organization will probably want to have an opportunity to address them and to fix them before an individual chooses a more formal path of recourse. And must have a method to receive complaints, address them properly, and need to let the individual know that they have a right to complain to the appropriate authority.

Enforcement Powers

So now I'm going to talk about enforcement powers under Canadian privacy laws. The Personal Information Protection and Electronic Documents Act is overseen by the Privacy Commissioner of Canada or the Office of the Privacy Commissioner of Canada, sometimes referred to as the OPC.

The Privacy Commissioner of Canada is an ombudsman. The Commissioner doesn't have the ability to levy fines or issue orders. Only the Federal Court of Canada can issue orders or award damages. What the Commissioner does is the Commissioner deals with complaints first and foremost. Any individual can send a written complaint to the Privacy Commissioner of Canada. The Commissioner can also initiate complaints of his own accord.

I should note that the Alberta, British Columbia and Quebec Privacy Commissioners can issue orders, and the Quebec commissioner also has considerable financial penalty powers.

But back to the federal Commissioner: After a complaint is received, the Commissioner investigates the complaint, and there's minimal involvement on the part of the complainant in most cases.

During that investigation, the Commissioner has very strong powers. So for example, the Commissioner can compel evidence, can issue essentially subpoenas, can administer oaths, and accept evidence under oath. The Commissioner can also accept and review evidence that ordinarily would not be admissible in court. The Commissioner can also enter any premises other than a dwelling and review any documents in there.

So far we've never had any "dawn raids" by the Privacy Commissioner of Canada. I don't think that any of these particularly intrusive powers have ever been used until relatively recently. It's always been my experience in speaking for myself and speaking with colleagues that those who are the subject of the complaint tend to cooperate, at least in the course of the investigation.

The end product of the investigation is a report. It's called a Report of Findings. The Commissioner has to issue a Report of Findings with respect to an investigation within one year from the day the complaint is filed. Now in my experience, that's seldom the case; they usually take more than a year. But that may reflect the complexity of cases that I generally deal with.

The finding says here’s what the Commissioner found, essentially. Here's what the person complained about, here is what I investigated, here is what I found.

If the Commissioner found non-compliance, the report will include recommendations, and those recommendations will generally be communicated to the organization in the course of the investigation, so the organization can implement those prior to the conclusion of the investigation.

Though the Commissioner does not have order making powers nor can he levy penalties, the "naming and shaming" is a significant incentive for businesses to cooperate. Some of the findings are published—but not all. And for high-profile investigations, particularly those involving large American tech companies, there tends to be a lot of fanfare that goes along with the issuance of a report of findings, including press conferences and things like that.

Many organizations do not want to be the subject of naming and shaming like this, so will do what they can to be compliant to ultimately resolve the complaint to the satisfaction of the complainant and the Commissioner.

Those findings will fit into a number of categories:

Not well-founded: which means that the complaint was not made out, the Commissioner did not find any violations of Canadian privacy laws.
Well-founded and resolved: meaning that ultimately there was an issue, but it was resolved in the course of the investigation.
Well-founded and conditionally resolved: so the organization has been asked to report back with changes that it has made over a medium-term or longer-term.
Well-founded and unresolved: and those are relatively rare.

Organizations tend to want to resolve the matter during the investigation stage. And if it's unresolved, then the Commissioner can in fact take the organization to court, or the complainant can.

Court Hearings

Court hearings are essentially where the enforcement rubber hits the road. Some people suggest that the Commissioner's lack of an ability to issue fines or issue orders is a bug with the legislation, and the process of going to court is somewhat cumbersome. I tend to think it's more of a feature that, when it comes to these sorts of measures, it's best reserved to a court, particularly where the resolution turns on the interpretation of the statute.

In these court hearings, a complainant—but not the organization—can start an application in our federal court for a hearing. And it is notable that the organization does not have any automatic ability to take the Commissioner to court to have the Commissioner’s report reviewed or appealed or overturned.

In fact, what happens in court is not an appeal at all; it's what's called a de novo proceeding. The court starts from scratch. The Commissioner might be a party with the cooperation of the complainant. It may in fact be the Commissioner who's carrying the bag on all of it in going to court, but it's not a review of the Commissioner's finding; they start from scratch. And this can only be done once the report from the Privacy Commissioner has been finalized and delivered.

There is a way to get into court in the course of an investigation on something called a "judicial review" if there are jurisdictional issues or other things that might need to be considered by the court, but generally, it's only after the report of findings is issued.

Perhaps not surprisingly, the court has pretty broad remedial powers—that's what courts do. The courts are empowered to order the organization to correct their practices in order to comply with the provisions of the act. Can also require the organization to publish a notice of actions that they have taken in order to correct their practices—so, I guess, a "double naming and shaming". And finally, the court can award damages, including damages for humiliation that the complainant might have suffered.

It should be noted that there is no mechanism through PIPEDA for a class action to be brought within this process. You have an individual complainant, you have the Privacy Commissioner, and you have a case before a judge.

Commissioner Audits

The Commissioner also has the power to audit organizations.

The Commissioner can initiate one of these if, on reasonable grounds, the Commissioner believes the organization is contravening a provision of Division 1 or Schedule 1 of the act. And during the course of an audit, the Commissioner has pretty well the same powers that the Commissioner has in an investigation: take evidence, enforce attendance, and have the powers of a superior court of record. He can enter any premises other than a dwelling house, examine any records or extracts of records.

To my knowledge, the federal Privacy Commissioner of Canada has not initiated any audits of any private businesses. The Commissioner has, at least on one occasion, requested that the organization obtain a third-party audit and provide the report of that audit to the Commissioner. But the Commissioner would not be able to order that.

As I understand it, the Commissioner doesn't feel that their office has sufficient resources in order to go about auditing organizations. One thing that they have asked Parliament for is a power to order audits of organizations and their information handling practices.

So the key “stick” that the Commissioner actually has is this power of publicity. Because within the act, the Commissioner is specifically empowered to make public any information related to the personal information management practices of an organization if the Commissioner considers that it's in the public interest to do so.

Data Breach Notification

In 2015, Parliament amended PIPEDA to bring in data breach notification requirements.

We now have data breach reporting to the Commissioner, data breach notification to the affected individuals, and a record-keeping requirement embedded in these amendments.

It should also be noted that there may be a common law duty to notify affected individuals if their personal information has been compromised in a way that could affect them, particularly if giving them notice and warning would give them an opportunity to mitigate harm that could happen to them.

But we're going to focus on the statutory requirements.

As with any data breach law, you always have to be very careful about the definition of what is a "breach". So what triggers this whole process? In PIPEDA, it is a "breach of security safeguards", which means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization's security safeguards that are referred to in Clause 4.7 of Schedule 1 (so that's Principle 7) or from a failure to establish those safeguards.

The notice and reporting obligations become triggered if there is a breach of security safeguards where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual. This particular provision talks about the personal information being under the control of an organization. So this says to me that the obligation to report to the Commissioner is only on the part of a data controller, not a data processor.

As between any data processor and the controller, there should be a clear contract that says the processor will notify the controller so that the controller can report any data breach that they have to the Privacy Commissioner, and so that they can notify affected individuals.

Subsection 2 talks about what has to be in the report, and I'll get into that in just a moment. And Subsection 3 talks about notification to affected individuals.

Again, the definition—what is a breach of security safeguards—refers back to Principle 7, “Safeguards”. And so what this principle requires is that an organization implement reasonable security safeguards to protect against a list of risks that is appropriate and commensurate with the sensitivity of the information at issue. So it's not unduly prescriptive; it's what's reasonable in the circumstances.

And again, this comes back to the concept of sensitivity. So we don't have strictly defined categories of what is sensitive personal information. Personal information can be more sensitive or it could be less sensitive depending upon the circumstances, depending upon the context in which the information is collected.

We do have some helpful guidance or wording in the CSA model code to help determine what information is more sensitive or less sensitive. Certainly information about somebody's private life, their intimate life, their family life, information about their race, ethnicity, religion, those sorts of things, financial information, health information would all be considered to be at the more sensitive end of the spectrum.

But somebody's name can be less sensitive or more sensitive depending upon the circumstances. So if your name appears on a list of people who attended a hockey game, for example, that's not particularly sensitive. If your name appears on a list of people who have upcoming appointments with a psychiatrist, that would be sensitive information, because the context in which that information appears tells you information about that person's private life, their mental life, their health conditions, or things like that.

Real Risk of Significant Harm

The triggers of notification and reporting relate to "real risk of significant harm".

This is a two-part test: you look at the real risk and then you look at the possible significant harm. And real risk depends upon the sensitivity of the personal information involved and the probability that the personal information has been, is being, or will be misused. And there may also be other prescribed factors, but we haven't seen new factors to consider.

So you're looking at what's the likelihood that mischief will take place; what are the circumstances in which the breach took place?

One example may be a lost hard drive and there's no information to suggest that it was stolen by a bad guy. It was just misplaced. You don't have any real sense that mischief is afoot. That seems low risk of harm.

But if somebody breaks into your network and exfiltrates information, you already know that there's a bad guy involved, or a "threat actor" as the cool kids say. That tells you there’s a high risk that bad things are likely to happen. Or at least bad things are more likely to happen in a scenario like that.

The second part of the analysis is “significant harm”, and that requires you to ask “what could go wrong?” You ask “What could this information be used for? How could this information be abused?”

The legislation specifically talks about certain kinds of harm being significant: “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on the person's credit record, and damage to our loss of property.”

It ties pretty closely to the concept of sensitivity.

In some jurisdictions, reporting is based simply on the type of data involved – more often tied to risk of fraud and impersonation.

The significant harms that are at play and have to be considered in Canadian privacy legislation are much broader than that, and relate to kind of “softer elements” of privacy and personal life.

Reporting Requirements

For a report to the Commissioner, the legislation prescribes what has to be contained in that report. Not surprisingly, the Privacy Commissioner of Canada has a form on his website that contains this information to fill out and report.

They generally want to know:

who was the organization,
what was the nature of the information,
what were the circumstances of the breach,
when was it discovered,
how many people are affected,
what steps have you done to mitigate, to stop the breach and to mitigate the risk of harm, and
who is able to be a point of contact for the Privacy Commissioner.

The Commissioner can initiate an investigation based on a report, but most of these are just received with thanks and that's largely the end of it. The notice to individuals is generally quite similar to the information that has to be provided to the Commissioner, though the organization is also required to tell the individual if there are steps that that individual could take to mitigate any harm to themselves.

Record-Keeping Requirements

Now one additional thing that's notable is there's also a “record-keeping” requirement. This says, regardless of whether or not there's a real risk of significant harm to the individual, every organization must create a record related to every breach of security safeguards, regardless of how trivial.

That record has to contain essentially the same sort of information that you would include in a report to the Commissioner. It should also include information to substantiate the conclusion that there was not a real risk of significant harm to the affected individuals, so that no report was required.

These reports have to be kept by the organization for two years. And they have to be provided to the Privacy Commissioner of Canada on request. So this does create a discoverable paper trail in the event of litigation.

It should also be noted that the Privacy Commissioner has in fact, on his own accord, conducted surveys of organizations requiring them to provide to his office and his investigators all of these breach records in order to make sure that they are being created and maintained appropriately.

Importantly, it's an offense to not create these records, and to not maintain them for the period of two years. It’s also an offense to not provide them to the Commissioner.

Conclusion

So, I hope this has been a useful, informative overview about Canadian privacy law. As I said, it was mainly intended for a general audience of folks who may have a need to know the basics of Canadian privacy laws.

Privacy, Online Fraud, and What You Can Do About It

2026-02-01T19:00:00.008-04:00

This past week, I was invited to speak with a client’s employees for International Data Privacy Day about “Privacy, Online Fraud, and What You Can Do About It”. There were a few hundred people on the call and I’m told it was well-received. So I’ve decided to take that presentation and turn it into an episode for this channel / podcast.

In my practice, I get to do some really awesome things with really great people who bring innovative products to consumers and business customers. But I also see some pretty shady, horrible stuff that takes place online.

I don’t know what the proportion is between people who are awesome and innovative, and people who are horrible and innovative. There are a lot of horrible people out there who are really crafty, and have found the internet and digital tech to be a great avenue to take your money from you.

So what I want to do today is raise awareness about privacy, explain how it connects directly to online fraud, and walk through the kinds of scams and misuse of personal information I’m seeing most often. I’ll also spend some time on practical, concrete steps individuals can take to protect themselves.

What Is Privacy — and Why Does It Matter?

Privacy is a weird thing. It’s very personal, so it varies from person to person. It also is culturally informed. At the end of the day, privacy expectations vary enormously.

Different countries — and even different generations — have very different norms around personal information.

You’ll often hear people say that “young people don’t care about privacy”. That hasn’t been my experience at all.

Young people care deeply about privacy — but they’re very intentional about “audience”. I often point to examples like people having multiple social media accounts on the same platform: one instagram account for close friends, another that’s more public and curated. That’s not a lack of concern for privacy; it’s a sophisticated understanding of it.

Privacy also depends on context. People post different things on LinkedIn than they do on Facebook, and different things again on Instagram or in a private group chat. The audience matters, and expectations matter.

Privacy as a Legal and Compliance Issue

In workplaces, privacy most often shows up as a legal and compliance issue.

In Canada, privacy laws differ by jurisdiction. In this context, jurisdiction can mean province to province, and it can mean between provinces and the federal government. It can also mean between the health sector and other sectors. But these laws generally share a common structure. But today I’ll focus on the privacy laws – federal and provincial – that govern what personal information businesses can collect, use or disclose, and the parameters around that.

Very broadly, these laws say that organizations may only collect, use, or disclose personal information:

for purposes that are reasonable;
that have been explained to the individual;
that the individual understands; and
that the individual has consented to, subject to limited exceptions.

Those purposes are critical. They are the thread that runs through privacy law.

Organizations can only collect information that is necessary for the stated purposes. They can only use it for those purposes. If they want to use it for some other purpose, they generally have to go back to the individual and obtain new consent.

And once the information is no longer needed, it should not be kept indefinitely. Retention has to be tied to legitimate purposes, such as legal requirements or risk management. If you don’t need it anymore for the “purposes”, get rid of it.

Privacy laws also require organizations to protect personal information using safeguards appropriate to its sensitivity.

The more sensitive the information, the higher the expectation of protection.

A lot of privacy complaints and mistrust come down to expectations. People feel unsettled or “creeped out” when information is used in ways they didn’t expect, disclosed to people they didn’t expect, or wasn’t protected to the level they expected.

The law doesn’t talk about being “creeped out,” but that reaction is often a sign that expectations were not properly set or respected. It means you haven’t clearly identified the purposes and gotten their OK.

Privacy Harms

Canadian privacy law now explicitly recognizes a range of harms that can result from misuse of personal information, including:

bodily harm;
humiliation or embarrassment;
damage to reputation or relationships;
loss of employment, business or professional opportunities;
financial loss;
identity theft;
negative impacts on credit records; and
damage to or loss of property.

Even information that seems relatively innocuous — like an email address — can create real risk when taken out of context.

For example, if someone obtains an email address from a particular organization, they know the individual has a relationship with that organization. That makes phishing attacks far more convincing. For example, a bad guy gets a customer list for a business. The bad guy can send emails to the customers pretending to be someone from the business, asking them to “update their billing information” or something. The fact that it looks like it comes from someone they know makes it more likely that the recipient will act on that email.

The Scale of Online Fraud

Online fraud is enormous in scale. According to the Canadian Anti Fraud Centre, they had more than 33 thousand reports in the first three quarters of last year, with more than half a billion dollars lost — and that’s almost certainly an understatement, because many victims never report what happened.

Fraud affects individuals, families, businesses, schools, hospitals, and governments. While large organizations often make headlines, individuals frequently suffer the most direct harm.

The Canadian Anti-Fraud Centre has an enormous catalog of the types of fraud that get reported and it’s worth taking a look at it to help understand all the different varieties of scams and frauds that are out there.

As I said, it’s enormous but I’ll go through some of the most common fraud types that I’m seeing and then will provide some pointers on how to protect yourself.

Common Fraud Scenarios I’m Seeing

Email Account Intrusions and Business Email Compromise

One of the most common starting points is an email account compromise.

If someone gains access to your email, they often gain access to much more: documents, shared drives, financial systems, and internal platforms. There’s a lot in your email inbox that a bad guy can use to cause harm.

In many cases, the harm that they can cause is impersonating the person whose email they’ve taken over. I’ve seen far too many cases where attackers simply watch — waiting for the right opportunity to inject themselves into a conversation.

I’ve seen situations where attackers impersonate trusted employees and send emails redirecting payments or requesting urgent action. Because the email comes from a real, trusted account, it’s very convincing.

Funds Transfer and Payroll Fraud

A classic example is funds transfer fraud. An attacker impersonates a vendor or employee and provides “updated” banking information. Payments or payroll deposits are quietly redirected to fraudulent accounts, sometimes for weeks before anyone notices.

I’ve seen many cases where a company is about to make a big sale, and some bad guy lurking in their system impersonates the sales person or a person from finance and tells them the payments for the widgets should be made to a particular bank account. That’s not the company’s actual bank account, but one that the bad guy has access to.

Another, smaller scale example is a bad guy who knows that a person is employed with a particular company and gets the contact information for the payroll department of that company. One email that convincingly looks like it comes from the employee sent to HR saying “I’ve switched banks, so please have my direct deposit go to this new account ….” In the grand scheme of online fraud, that’s relatively small potatoes, but a bad guy that does that A LOT will make a lot of money. And leave a lot of frustrated employees in their wake.

Tech Support Scams

Many people have received calls claiming to be from Microsoft or their internet provider, warning about suspicious activity.

The goal is to convince the victim that they have to make changes to their computer, which is really to install remote access software. Once that happens, the attacker might as well be sitting at your computer. They can block you from using it, they can control the computer, access saved passwords, log into online banking, and move money.

I’ve seen cases where victims were locked out of their own computers while attackers logged into online banking and emptied accounts in real time.

I’ve also seen cases where bad guys have used remote access software to just watch everything the person was doing on the computer, waiting until they can extract the most cash.

Grandparent and Family Emergency Scams

This increasingly common scam targets grandparents, which is one of the most heartless, reprehensible scams out there. It targets pensioners and exploits the best intentions of these victims.

Attackers impersonate grandchildren or other family members using information found on social media, claiming they’ve been injured, arrested, or stranded. They create urgency and demand immediate payment.

In some cases, AI is now being used to mimic actual voices, making these scams even more convincing. In other cases, the scammer pretends to be a lawyer, telling the grandparent or family member that a loved one has been arrested and requires immediate bail money.

Fake Renewals, Refunds, and Overpayments

These include fake subscription renewals, refund scams, and overpayment schemes on online marketplaces.

In some cases, you’ll get a text message or an email saying that some service is about to renew for a huge sum, and “click here” to cancel the renewal. That click takes you to a fake site that is looking for your Amazon, Netflix or other online credentials. With that information, they can impersonate you and perhaps your payment information.

In an overpayment scam, for example, a buyer sends a cheque or bank draft for more than the agreed amount. They say it was a mistake or was intended to cover processing charges, and then asks the seller to refund the difference — before the original payment is discovered to be fake. Before the cheque or bank draft is found to be fake by the seller’s bank, the seller has already sent actual, non-refundable funds to the scammer.

Fraudulent legal notices

There’s a pretty common scam, usually via text message or email, that purports to be a legal notice saying that you have an outstanding fine or other sort of payment that needs to be made to a government authority. Last year I got one that purported to be from the “Ministry of Transportation of Canada” that said my license would be revoked, my vehicle registrations would be blocked and there could be further action if I didn’t pay a parking ticket using the link below.

Some of them will refer to overdue taxes and penalties. Yeah, it’s just fraudulent.

Ransomware and Data Theft

Ransomware attacks lock people and organizations out of their systems and often involve theft of sensitive data. Using a number of means, including malware infected email attachments or installing remote access software I discussed before, a bad guy gets into a computer system and installs software that will encrypt all the data on the system or the network.

They will then blackmail the victim to pay some amount in bitcoin to get the decryption key.

Once companies realized that having good backups out of reach of the bad guys would mean they didn’t have to pay for the decryption key, the bad guys started to download all the data they could get their hands on before encrypting it.

So even organizations with good backups may feel pressure to pay to prevent stolen data from being leaked or misused.

So many of the cybercrime stories that hit the headlines are ransomware, as they will often shut down a business for days or even weeks before things get sorted out.

Sextortion targeting young people

In my book, if you go after pensioners and whatever savings they have, you’re an absolute horrible person. But words fail me in describing the grotesque and vile people who target young people with sextortion.

In this type of crime, fraudsters create fake profiles on social media, discussion boards and dating websites. Impersonating the persona they’ve adopted, they reach out to people – often young people – and lure them into a relationship. Using a whole range of manipulative tactics, they coerce the into taking intimate images of themselves or performing sexual acts on camera. The victims sincerely believe that they are in a relationship with the bad guy. Then he records the session and threatens to send the image or video to other people – like family members or friends – unless they pay or provide more sexual content.

It prays upon young people’s vulnerability and exploits shame. Many victims have died by suicide and the horrible perpetrators go onto the next victim.

So What Can You Do to Protect Yourself?

There is no such thing as perfect security, but there are practical steps that can significantly reduce risk.

Try to Slow Down

Scammers rely on urgency. If someone is pushing you to act immediately, that alone should raise red flags. The bad guys want you to act immediately so you don’t have a chance to reflect on what’s really going on. Take a deep breath, step back and remember that very few things require an immediate decision – particularly for a situation that comes out of the blue.

Verify things Independently

Never rely on contact information provided in a suspicious email or call. Use a trusted number or address you already have.

For example, if your “bank” calls you and asks for information, hang up and call the number on the back of your bank card.

Never let a stranger tell you to do anything on your computer or your phone

No legitimate company will cold call you and tell you to do anything on your computer or phone, or tell you to install software. If that happens, hang up.

Use Two Factor Authentication

Two factor authentication adds a critical layer of protection. Even if someone gets your password, they still can’t log in without the second factor. Many forms of two-factor authentication, like SMS, are not perfect, but they’re all better than most alternatives.

Never Reuse Passwords

Credential theft is widespread. Reusing passwords means a low risk breach can quickly turn into access to your bank or email.

A lot of companies are hacked on a regular basis, with the bad guys going after customer login information. If you used the same password to order a pizza as you use for your online banking, if that pizza place is hacked, bad guys will likely try that user name and password in other places. A lot of the emails and texts you may get saying that your Netflix has expired are hoping that the login information you put into their fake website will also work on your bank.

Be careful about What You Share Publicly

Be mindful of what you post on social media, especially travel plans and family details. Police report that burglars use vacation posts to choose houses to break into. And the grandparent scams I mentioned before often rely on determining relationships between people from social media sites.

Use a Family Verification Question

For family emergency scams, have a simple verification question that only real family members would know. I’ve told the seniors in my family that if they ever get a call purporting to be from any of my kids, they should ask them for the name of a particular animal that was important to them when they were growing up and that they’d never forget. That name is not on any social media site and anyone who can’t answer that question immediately is an impersonator.

Never buy gift cards at someone else’s direction

One of the most common ways that scammers try to get “money” from victims is having them purchase gift cards. Once the cards are bought and the scammer gets the numbers from the back of the cards, they can use the value from those cards. Actual government agencies will never, ever, ever ask for payment via iTunes or Amazon gift cards. If anyone mentions any sort of a gift card, red flags should go up and alarm bells should start ringing.

Set Alerts and Limits

You should set alerts on your financial accounts so you’re notified when money moves. Someone may have picked your wallet out of your pocket, or taken your credit card number. If you get alerted as soon as a transaction happens, you can immediately contact your bank to have it addressed.

And lower your daily transaction limits if you don’t need higher ones. Scammers who get into your online banking will use money transfer services to send money to other accounts. If you rarely Interac e-transfer more than a couple of hundred dollars per day, set your limit that low. If you have an unusually large payment to make, you can contact your bank to temporarily increase that limit.

Closing

I think it’s worth taking some time to go into your “spam folder” in your email and your text messages to see some of the examples of scam messages that were sent to you that you didn’t see. It’ll help, I think, raise your awareness and sensitivity to what is sketchy and should raise red flags for the future.

We live in a world where personal information is incredibly valuable and increasingly easy to misuse.

Unfortunately, there are a lot of really horrible people who are very creative in trying to separate you from your money. Awareness, skepticism, and a few practical habits can reduce the risk of becoming a victim.

BC Privacy Commissioner finds city's use of public surveillance cameras unlawful ... off to court

2026-01-18T20:32:00.001-04:00

The Information and PrivacyCommissioner of British Columbia just found that the City of Richmond in the BC lower mainland broke the law when it installed ultra-high-definition cameras in public places that capture faces, licence plates, and other identifiers. The Commissioner recommended that they take down the cameras and delete all the recordings. The City said “nope”, so the Commissioner issued a binding order for them to stop collection, delete recordings, and disband the system.

This is definitely going to court. The City of Richmond issued a statement saying they think it is lawful and appropriate, and are looking to have the legality of all of this determined by the Courts. I think that’s a good thing … the more clarity we have from the superior courts on the interpretation of our privacy laws, the better.

I should note that while these laws are generally consistent from province to province, there is a big variation on how police services are delivered. Not all of the conclusions of this finding will necessarily be applicable in all other provinces or municipalities.

The City of Richmond in British Columbia began field testing its “Public Safety Camera System” – or PSCS – in early 2025 at the intersection of Minoru Boulevard and Granville Avenue.

The City’s stated sole purpose was to collect and disclose video footage to the RCMP to assist in identifying criminal suspects. That point—sole purpose—is central to the Commissioner’s analysis. There was no other rationale for the City of Richmond to put up these cameras in these locations.

Operationally, the system involved multiple high-resolution cameras capturing:

licence plate numbers,
high-definition images of vehicle occupants,
pedestrians,
vehicle identifying features, and
location/time information tied to the intersection.

The cameras recorded continuously, and the City retained footage for 48 hours before deletion.

The field test included capabilities like licence plate recognition, pan-tilt-zoom variants, panoramic/multi-sensor configurations, and other detection features; the City confirmed it did not use facial recognition or built-in audio recording during field testing, though some cameras had those capabilities.

The City’s goal for the field test was essentially procurement-and-design: evaluate camera tech, decide numbers and placement, assess performance in different conditions, and confirm the PSCS could generate “usable” footage for law enforcement use later.

Under BC FIPPA, public bodies can’t collect personal information just because it seems useful. Collection has to fit within a listed authorization—most importantly here, s. 26.

The Commissioner situates that within a broader privacy-protective approach: privacy rights are treated as quasi-constitutional, and public bodies should only compromise privacy where there’s a compelling state interest.

Richmond relied on three possible authorities:

s. 26(b) (law enforcement),
s. 26(c) (authorized program/activity + necessity),
s. 26(e) (planning/evaluating a program/activity).

The Commissioner rejected all three, finding there simply was not legal authority for the collection of personal information – and without legal authority, there’s no lawful collection.

Richmond first said they were authorized under s. 26(b):

26 A public body may collect personal information only if
(b) the information is collected for the purposes of law enforcement,

Note the use of the word “only”. Unless section 26 permits it, a public body cannot collect personal information.

Richmond’s theory was straightforward: the definition of “law enforcement” includes policing, and the PSCS was meant to support policing by helping identify suspects—so it’s “for law enforcement.” That was their alleged purpose.

The Commissioner accepted there’s a connection: the information might be used by the RCMP in policing. But the Commissioner says that’s not the end of the inquiry, because the collector is the City—and the City must have a law enforcement mandate of its own to rely on s. 26(b).

This is a recurring theme in Canadian privacy oversight: a public body can’t bootstrap a law-enforcement collection power merely because another entity with a law-enforcement mandate might find the data useful.

The City may pay for law enforcement, and it may provide resources to law enforcement but they do not have a lawful law enforcement mandate.

The report describes three arguments Richmond advanced:

RCMP mandate should be imputed to the City (because the City “provides” policing by contracting with the RCMP to do it).
The City has a mandate to collect information for the RCMP.
The City has its own independent mandate to police through the cameras.

The Commissioner’s response is pretty technical: under the Police Act and the Municipal Police Unit Agreement framework, municipalities fund and resource policing, but policing authority and law enforcement functions remain with the police, operating independently of the municipality.

He underscores that the Police Act sets out specific ways a municipality provides policing—such as establishing a municipal force or contracting with the RCMP—and “running a surveillance camera system for the police to use” is not among those statutory options.

He also points to the RCMP’s peace-officer functions and the Municipal Police Unit Agreement structure as vesting law enforcement responsibilities in the RCMP, not the City, and he reads the legislative set-up as intentionally keeping policing independent from municipal control.

So this argument advanced by the City failed: the City lacked the necessary law-enforcement mandate, so it could not collect under s. 26(b)—even if the police might later use the footage.

Section 26(c) is the classic “public body operational authority” provision: even if a statute doesn’t explicitly say “collect this kind of personal information,” a public body can collect personal information if it is both:

directly related to an authorized program or activity, and
necessary for that program or activity.

Richmond framed its program as essentially: an intersection camera program to identify criminal suspects following criminal incidents, pointing to broad service powers under its Community Charter.

But the Commissioner rejected that program characterization as “authorized,” because—again—of the Police Act structure. In the Commissioner’s view, “collecting evidence to identify criminals that the RCMP may rely on” isn’t part of how the City is authorized to provide policing services or resources under the Police Act framework.

So, the analysis fails at the first step: if the underlying “program” isn’t authorized, 26(c) can’t save the collection.

The report goes further and addresses necessity. The Commissioner emphasizes that the City’s record was limited in establishing that: (a) unresolved crime was “real, substantial, and pressing,” (b) existing measures were ineffective, or (c) less intrusive means had been seriously examined.

He characterizes the intrusion into privacy as “vast,” relative to the limited evidentiary foundation offered to justify necessity.

The net effect was that the Commissioner was not satisfied that the City demonstrated that mass capture of high-definition identifying footage from “tens of thousands of people each day” who had nothing to do with any sort of crime was necessary for the purported municipal activity.

Richmond also argued: the field test is just planning and evaluation, and s. 26(e) specifically authorizes collection necessary for planning/evaluating a program.

The Commissioner’s treatment of 26(e) is crisp: 26(e) presupposes that the program being planned or evaluated is otherwise authorized. You can plan or evalue an authorized program, but if the program ain’t authorized, you can’t collect personal information to plan or evaluate it. Richmond itself largely accepted that proposition, and the Commissioner agreed.

Because the Commissioner had already found the PSCS was not authorized under 26(b) or 26(c), Richmond could not rely on 26(e) to do “planning” for an unauthorized program.

It makes sense that you can’t use the planning/evaluation clause as an end-run around the core requirement of lawful authority. Otherwise, everything under the sun could be said to be for planning or evaluation.

FIPPA generally requires notice of purpose and authority when collecting personal information. Richmond tried to avoid notice by invoking s. 27(3)(a)—the idea that a notice is not required where the information is “about law enforcement.”

The Commissioner gives two responses.

First: the City couldn’t rely on law enforcement as its underlying authorization in the first place—so that alone undermined the attempt to rely on the exception.

Second, and more fact-specific: during the field testing phase, the City had confirmed it was not using the information for actual public safety or enforcement purposes—only to test and evaluate camera technical capabilities.

So even reading “about law enforcement” broadly, the Commissioner questioned whether the testing-phase collection qualified as “about law enforcement,” because it would not be used to enforce any laws, and there was no compelling enforcement purpose weighing against notice.

Richmond did install signs, but the Commissioner describes them as a “courtesy” and finds them legally inadequate.

The sign said “PUBLIC SAFETY CAMERA TESTING / FIELD TESTING IN PROGRESS AT THIS INTERSECTION” with contact information for the City’s Director of Transportation.

The Commissioner’s critique is twofold:

First there was a Content deficiency: the signs did not clearly notify people that cameras were recording and collecting personal information, and did not include the purposes and legal authority for collection as required by s. 27(2).
And secondly there was a Placement deficiency: signage was vehicle-focused, placed for eastbound and westbound approaches, but did not address entries from other directions and did not notify pedestrians—despite the system’s capacity to capture pedestrians and pan widely, including multi-direction recording.

The Commissioner’s conclusion is direct: the City did not adequately notify individuals when it collected their personal information during field testing.

The report notes that disclosure under s. 33(2) generally depends on lawful collection in the first place, and because the collection lacked authority, the City could not rely on “consistent purpose” disclosure to the RCMP for evaluation.

On security, the Commissioner acknowledges the City described a reasonably robust set of safeguards, and that even where collection is unlawful, the City still has a duty under s. 30 to protect personal information in its custody or control.

But safeguards don’t cure lack of authority. They are necessary, not sufficient.

The OIPC’s recommendations were blunt:

stop collecting personal information through the PSCS,
delete all recordings, and
disband the equipment.

Richmond advised it would not comply, and the Commissioner issued Order F26-01, requiring immediate compliance and written evidence of compliance by a specific date.

My takeaway is that the Commissioner’s reasoning is primarily structural and jurisdictional: the City tried to create a surveillance-for-police capability, but the Commissioner reads BC’s legal framework as drawing a hard line between municipal services and police law-enforcement authority—particularly when the activity is mass surveillance in public space.

If you’re a public body contemplating “pilot projects” with high-capability cameras, the report is a reminder that planning provisions don’t let you pilot an unauthorized program, and that “law enforcement adjacent” doesn’t equal “law enforcement authorized.”

For a public body, every collection of personal information has to be directly authorized by law. It’s worth noting that the “law enforcement” provision in most public sector privacy laws is wide enough to drive a truck through. The RCMP in Richmond could have paid for and put up those cameras all over the place, since they have a law enforcement mandate.

Criminal courts are pretty adept at dealing with privacy invasions on a case-by-case basis using section 8 of the Charter, but we actually need a better way to to evaluate proportionality, necessity and appropriateness when it comes to proposed police programs that hoover up data on hundreds, thousands or maybe millions of innocent people in the name of “law enforcement”.

It’ll be interesting to see how the courts deal with this.

Canada's new proposed law to outlaw explicit deepfakes: Bill C-16

2026-01-11T18:30:00.003-04:00

A number of years ago, the Parliament of Canada amended our Criminal Code to create a criminal offense related to the non-consensual distribution of intimate images. Last month, the Government of Canada proposed to further amend the Criminal Code to include so-called deepfake intimate images, and to create an offence of threatening to disclose intimate images, deepfake or not.

Section 162.1, which was added to the Criminal Code in 2014, makes it an offence to publish, distribute, transmit, sell, make available or advertising an intimate image without the consent of the individual depicted in the image.

And a number of provinces have put in place laws that create civil remedies for the non-consensual distribution of intimate images.

With some variation, they generally have the same definition of “intimate image”, but they really haven’t kept up with an explosion of synthetic, AI-generated intimate imagery. Synthetic images are created by generative AI systems that can “learns” what a person looks like and can use that information to create new images that resemble that person.

If you look at the definition of what is an intimate image, it clearly presupposes that it is a recording of an actual person and that the actual person was involved, or at least present at its recording.

Criminal Code – 2014 Amendments Definition of intimate image (2) In this section, intimate image means a visual recording of a person made by any means including a photographic, film or video recording, (a) in which the person is nude, is exposing his or her genital organs or anal region or her breasts or is engaged in explicit sexual activity; (b) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy; and (c) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed.

It refers to an image or recording where the person “is exposing” certain body parts or “is engaging” in explicit sexual activity. It talks about “reasonable expectations of privacy” at the time the image is recorded and at the time the offence is created.

This definition would not capture synthetic, “deep fake” intimate images.

The province of British Columbia has the newest provincial statute to create a civil framework to provide civil remedies for the non-consensual distribution of intimate images. The definition there is clearly modeled on the definition from the Criminal Code of Canada, but does include images where the person is depicted as engaged in a particular activity, also regardless of whether the image has been altered. So the BC law would cover a situation where an actual image of a person has been altered, in any way, to depict the person as engaging in certain acts or nude.

Intimate Images Protection Act (British Columbia) “intimate image” means a visual recording or visual simultaneous representation of an individual, whether or not the individual is identifiable and whether or not the image has been altered in any way, in which the individual is or is depicted as (a) engaging in a sexual act, (b) nude or nearly nude, or (c) exposing the individual's genital organs, anal region or breasts, and in relation to which the individual had a reasonable expectation of privacy at, (d) in the case of a recording, the time the recording was made and, if distributed, the time of the distribution, and (e) in the case of a simultaneous representation, the time the simultaneous representation occurred;

But this updated definition does not cover purely synthetic images, meaning images that are original and are not simply alterations of existing images. You may recall a little while ago when AI generated sexualized images of superstar Taylor Swift were posted online. If I recall correctly, these were images that were not alterations of existing images but were rather the result of the AI image generator having ingested many, many images of Taylor Swift and “knowing” what she looks like. Those images would not have been captured by the current Criminal Code or even the newer definition in the British Columbia intimate images law.

In December, the Government of Canada introduced Bill C-16, called the “Protecting Victims Act”, that makes a number of amendments to Canadian criminal and related laws. Included in Bill C-16 are proposed amendments that will expand the existing definition of “intimate image” to include synthetic deepfakes.

So here’s the new definition from Bill C-16, but it’s more helpful to compare it to the existing language of the Criminal Code. I’ve crossed out what’s being removed and underlined what’s being added. So we see in subsection (2)(a)(i), where it deals with what has to be in an image or recording to be considered an “intimate image” – they’ve removed “his or her genital organs or anal region or her breasts” and have replaced it with “their sexual organs”.

Bill C-16 Proposed amendments (redline)

Definition of intimate image
(2) In this section, intimate image means

(a) a visual recording of a person made by any means including a photographic, film or video recording,

(i) in which the person is nude, is exposing ~~his or her genital organs or anal region or her breasts~~ their sexual organs or is engaged in explicit sexual activity,

(ii) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy, and

(iii) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed; or

(b) a visual representation that is made by any electronic or mechanical means and that shows an identifiable person who is depicted as nude, as exposing their sexual organs or as engaged in explicit sexual activity, if the depiction is likely to be mistaken for a visual recording of that person.

That change doesn’t really do what it appears it will do because they’ve added a new defined term in section 150 of the Code, which defines specific terms for Part V of the Code which deals with sexual offences.

“sexual organs” include breasts that are or appear to be female breasts and the anal region;

So this isn’t really a material change, as far as I can see.

Subsection (2)(b) is where they scope in deepfakes:

(b) a visual representation that is made by any electronic or mechanical means and that shows an identifiable person who is depicted as nude, as exposing their sexual organs or as engaged in explicit sexual activity, if the depiction is likely to be mistaken for a visual recording of that person.

So this part doesn’t depend on the reasonable expectation of privacy in the image or recording. Which makes sense. An actual image of an actual person will be associated with that actual person’s expectations of what would happen with that image. A purely made-up image doesn’t have that.

The key parts are that it is a visual representation that depicts the same sorts of body parts or conduct as in subsection (2)(a)(i), and that it has to be sufficiently realistic that the depiction “is likely to be mistaken for a visual recording of that person.”

It can’t be cartoon-ish or of such poor quality that you’d know immediately that it is not really that person.

The scope of what could be an intimate image could be broader, but we have to be mindful of freedom of expression. Unfortunately, as of January 10 when I’m recording this, no Charter statement related to Bill C-16 has been released by the Canadian Department of Justice. (It’s been more than a month since the Bill was tabled in Parliament, so should have been released by now.)

The creation and distribution of intimate images is an expressive act and would be protected by the freedom of expression provision in section 2(b) of the Charter of Rights and Freedoms. But protected expression can be subject to “reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society”. In order to justify the limitation, the goal of the legislature has to be pressing and substantial. i.e., is the objective sufficiently important to justify limiting a Charter right? And then there has to be proportionality between the objective and the means used to achieve it.

This has three parts: first, the limit must be rationally connected to the objective. There must be a causal link between the measure and the pressing and substantial objective.

Second, the limit must impair the right or freedom no more than is reasonably necessary to accomplish the objective. The government will be required to show that there are no less rights-impairing means of achieving the objective “in a real and substantial manner”.

Third, there must be proportionality between the deleterious and salutary effects of the law.

I think there is some risk that this expanded definition of “intimate images” may be vulnerable to being struck down as an unjustified infringement of freedom of expression. The law doesn’t create an offence of creating explicit deepfakes for “personal use”, so that’s not an issue. Though there is a defence related to “serving the public good” in section 162.1(3), I don’t think it’s broad enough to address the potential use of deepfakes in political satire and commentary.

Whether you like it or not, and regardless of whether you think it’s tasteful, AI generated imagery is being used to produce political commentary and satire. And yes, some of it does veer into depicting body parts and activities that can be captured in the new definition of “intimate image.” And you generally can’t outlaw expression just because it’s tasteless. At the end of the day, I don’t think the existing defence of “serving the public good” shields such political expression and leaves this provision vulnerable to a successful Charter challenge.

Before I wrap up, I should note that the Protecting Victims Act also proposes to create an offence of threatening to publish or distribute an intimate image. This is the new section 162.1(1.1):

Everyone who, with the intent to intimidate or to be taken seriously, knowingly threatens to publish, distribute, transmit, sell, make available or advertise an intimate image of a person knowing that the person depicted in the image would not give their consent to that conduct, or being reckless as to whether or not that person would give their consent to that conduct, is guilty of an offence.

This goes beyond what is typically described as “sextortion”, where a bad guy threatens to release intimate images in exchange for more such images or money. “Sextortion” is captured in the general offence of extortion. This new offence would capture a threat even where the person making the threat doesn't expect or demand anything in return. It’s a reasonable addition to the criminal law.

When student data is hacked & stolen: Regulators’ lessons from the PowerSchool data breach

2025-12-14T18:30:00.001-04:00

You may recall hearing about a significant cybersecurity breach affecting school boards from the end of last year and the beginning of this year: the PowerSchool cybersecurity incident. In the past little while, the Information and Privacy Commissioners of Ontario and Alberta have released their reports of findings into the incident. (Ontario, Alberta) There is some interesting stuff in there that I think is worth chatting about. I’ll note that the Information and Privacy Commissioner of Saskatchewan also released a report of findings in August of this year.

This incident affected millions of students, parents, and educators across the country, involved sensitive personal information, and raised questions about outsourcing, cybersecurity, and accountability in the public sector. But many of these issues will be relevant for the private sector. You simply can’t outsource accountability for protecting data.

One thing to be sensitive to is that school boards are chronically under-resourced and have a very hard time meeting their privacy and security obligations under existing budgets. Personally, I think the provinces should take a much more active role in working with school boards and their contractors to ensure the highest levels of cybersecurity. We’re seeing that with health information systems, and should expect it for student information systems.

Before I get into the main point of this episode, one digression … At least in Canada, we always have to ask “what privacy law applies?” When the incident came to light, it was completely clear that at least in Canada, public school boards and their students were affected. Every school board is subject to a provincial public sector privacy law. So there’d be no doubt that a provincial Information and Privacy Commissioner would have jurisdiction to investigate the incident.

It was interesting that the federal commissioner jumped in there. The federal commissioner has jurisdiction under the federal Personal Information Protection and Electronic Documents Act – or PIPEDA – where there is a collection, use and disclosure of personal information in the course of commercial activity.

In this case, the collection, use and disclosure of personal information was in the course of the school boards’ non-commercial activities. Just because the contractor – in this case PowerSchool is doing this for commercial purposes – should not give the federal commissioner jurisdiction. While both public and private sector privacy laws contain obligations to safeguard data, they work in very different ways. If a public sector privacy law applies to the school board, while the private sector law applies to the contractor with respect to the same information, it is unworkable. The two categories of laws are simply not compatible.

Regardless, the federal Office of the Privacy Commissioner of Canada also started making inquiries with PowerSchool, first announced on January 20. On February 11, the federal Commissioner announced they had launched an investigation and noted that they’d remain in close contact with provincial and territorial counterparts on the incident. There was no mention on the basis of his jurisdiction to investigate.

In July, the federal Commissioner announced that they’d negotiated a number of commitments from PowerSchool regarding cybersecurity upgrades, certification and monitoring. It’s worth noting that the letter of commitment specifically says that the Commissioner was of the view that PIPEDA applied in this case, PowerSchool did not agree, and reserves all future rights. And rightly so. At some point, we really need a court to step in to clearly lay down the lines between privacy laws in Canada.

Thanks for indulging me for this digression. Now onto the main part of this episode, where I plan to cover four things:

The background to PowerSchool and how schools use it
What happened in the cyberattack
What the Ontario and Alberta regulators investigated and concluded
Where their findings align — and where they differ

PowerSchool is a major education technology provider. Across Canada, school boards use PowerSchool’s Student Information System, or SIS, to manage day-to-day education operations. That includes:

Student enrollment and attendance
Grades and academic records
Contact information for students and parents
Medical alerts, accommodations, and special needs
Staff and educator information

In many provinces, PowerSchool hosts this data in cloud-based environments that are largely operated and managed by PowerSchool itself, not the school boards. Of course, it’s done on the school boards’ behalf.

Crucially, under Canadian privacy laws, school boards remain legally responsible for the personal information — even when a third-party service provider is handling it. That legal principle becomes very important once something goes wrong.

THE INCIDENT: WHAT HAPPENED?

The cyberattack was discovered in late December 2024.

Here’s what investigators from Ontario and Alberta determined happened. A threat actor obtained valid credentials belonging to a PowerSchool support contractor. These credentials had elevated privileges, meaning they could access PowerSchool’s internal support portal called PowerSource. PowerSource exists so that PowerSchool staff can provide remote technical support to customer school boards.

Once inside PowerSource with these credentials, the attacker was able to access multiple school boards’ Student Information System environments — effectively stepping through the front door.

From there, the attacker accessed student and educator databases, exfiltrated large volumes of personal information and copied data rather than encrypting systems. This was data theft, not ransomware in the traditional “systems locked” sense that we often see.

The compromised data included:

Names, dates of birth, and contact details
Student ID numbers
Medical alert fields and accommodations
Guardianship or custody indicators
Educator contact and employment details

In Alberta, some school boards reported that social insurance numbers were also involved.

After the breach was discovered, PowerSchool paid a ransom, reportedly believing that the data would be deleted. Months later, a second extortion attempt occurred involving the same stolen data — a reminder that once data is taken, control is largely lost.

Paying the ransom might have been a very sensible thing to do in the circumstances, but it’s no guarantee that the data’s been deleted and will never re-surface.

THE REGULATORY RESPONSE

Because public bodies were involved, this triggered investigations by provincial privacy regulators.

In Ontario, the Information and Privacy Commissioner investigated 20 school boards and the Ministry of Education.
In Alberta, the Information and Privacy Commissioner investigated 33 school boards, charter schools, and a francophone authority.

In both provinces, the regulators focused on a central legal question: Did the public bodies take reasonable measures to protect personal information, as required by their respective privacy statutes?

ONTARIO FINDINGS

The Ontario Commissioner concluded that, as a group, the institutions did not meet their statutory obligations under FIPPA and MFIPPA. That’s the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act.

There were three major themes in the Ontario findings: (1) Inadequate Security Safeguards, (2) Weak Contracts and Oversight, and (3) Data Minimization and Retention Failures.

1. Inadequate Security Safeguards

The Commissioner identified multiple weaknesses with Security Safeguards

PowerSchool accounts with excessive privileges - The rationale for the principle of least privilege is to reduce security and privacy risk by limiting the damage that can result from human error, malicious insiders, or compromised accounts. It should be implemented by granting users, systems, and applications only the specific permissions required to perform defined tasks, using restrictive defaults, role-based or task-based access controls, time-limited elevation of privileges, and regular access reviews to remove unnecessary or outdated permissions.

No mandatory multi-factor authentication for PowerSource access - This is one of the most important and effective measures for preventing unauthorized use of purloined credentials.

“Always-on” remote maintenance access - This meant that a bad guy with the credentials could get access to the maintenance tools, rather than only at the invitation of individual school boards.

Short log-retention periods, which limited detection of earlier suspicious activity

While PowerSchool operated the systems, Ontario emphasized that the school boards were still responsible for ensuring reasonable protections were in place.

2. Weak Contracts and Oversight

Ontario was particularly critical of how school boards managed their contracts with PowerSchool.

Many agreements:

Lacked meaningful audit rights
Did not require detailed security reporting
Had limited enforcement mechanisms
Did not clearly address subcontractors

Even more importantly from the OIPC’s point of view, the boards did not actively monitor PowerSchool’s compliance with those contracts. In other words, contractual promises existed — but verification did not.

3. Data Minimization and Retention Failures

The Ontario Commissioner also focused on data minimization and retention failures. The Commissioner found that many institutions simply collected more data than necessary and retained data far longer than required.

That significantly amplified the harm when the breach occurred. If you don’t need it, don’t collect it. If you no longer need it, don’t retain it. If you fail on either one of those – or both! – you have more data that you have to protect and more data that’s affected if things go wrong.

The Ontario Commissioner also found that breach response planning was inconsistent and, in some cases, inadequate.

ALBERTA FINDINGS

Alberta reached a similar conclusion, but approached the analysis somewhat differently.

The Alberta Commissioner found that the educational bodies failed to comply with section 38 of the FOIP Act, which requires reasonable security arrangements.

Key aspects of Alberta’s findings included (1) A lack of internal policies and guidance, (2) treating PowerSchool as an “employee”, and (3) an emphasis on the sensitivity of children’s data.

1. Lack of Internal Policies and Governance

Alberta placed strong emphasis on the fact that many educational bodies did not have adequate privacy or vendor-management policies, they could not point to documented procedures for assessing or monitoring service providers and they simply relied heavily on PowerSchool’s assurances.

From the Alberta OIPC’s perspective, privacy compliance begins with governance.

2. PowerSchool Treated as an “Employee”

One notable legal point in Alberta’s report is that, under FOIP, a service provider performing services for a public body is legally treated as an “employee”. That meant PowerSchool’s actions were attributed directly to the school boards themselves. This reinforces the idea that outsourcing does not reduce accountability.

3. Strong Emphasis on Sensitivity of Children’s Data

Alberta was particularly explicit in recognizing that children’s personal information is inherently highly sensitive, especially medical and accommodation data.

That sensitivity raised the expected standard of protection — and Alberta concluded that PowerSchool’s safeguards fell below that standard.

KEY DIFFERENCES BETWEEN ONTARIO AND ALBERTA

The conclusions in Ontario and Alberta were broadly aligned, but there are some differences in emphasis.

1. Governance vs. Contracting Focus

Ontario focused heavily on contracts, oversight, and vendor management failures.
Alberta focused more on internal policies, governance frameworks, and statutory accountability.

2. Sensitivity of Information

Alberta placed stronger, more explicit weight on the heightened sensitivity of children’s data.
Ontario addressed sensitivity, but framed much of the analysis around risk amplification through retention and over-collection.

Despite these differences, both regulators reached the same core conclusion: The public bodies did not meet their legal obligations, and outsourcing did not excuse that failure.

BROADER LESSONS

There are several broader takeaways from these investigations.

First, outsourcing does not outsource accountability. Public bodies remain legally responsible for personal information, regardless of who hosts it. This is the same in the private sector for outsourcing. Accountability does not shift under Canadian privacy laws.

Second, contracts alone are not enough: Oversight, auditing, and verification matter.

Third, data minimization is a security control: Retaining unnecessary data simply increases breach impact.

And finally, children’s data demands higher standards. Regulators are very clear on that point.

CONCLUSION

The PowerSchool incident may be just another cybersecurity story, but like most such stories there are lessons to be learned or reminders of things we should already know.

It’s a case study in public-sector procurement, privacy governance, and risk management.

Ontario and Alberta both sent a clear message: If you rely on third-party platforms to manage sensitive data — especially data about children — you must actively govern those relationships, not simply trust them.

In the backdrop to all of this is the simple fact that most school boards are chronically under-resourced and have a very hard time meeting their privacy and security obligations under existing budgets. This is particularly the case for smaller – often rural – school boards. The same can be said for smaller municipalities. Personally, I think the provinces should take a much more active role in working with school boards and their contractors to ensure the highest levels of cybersecurity. For a system as widely used as PowerSchool, provincial departments of education should enter into master services agreements with all the appropriate security terms, and the provincial departments of education should actively oversee at least the security and audit portions of the delivery of services.

One final thing to note – just because school boards are 100% accountable to their students for personal information they collect, use and disclose doesn’t mean that PowerSchool is necessarily off the hook. PowerSchool – and any contractor for that matter – can be liable to their customers for any contractual failings when it comes to safeguarding personal information. And depending on the contract terms, the contractor may be liable for the cost of any lawsuits that students and parents might bring against the school boards. And I can imagine some more extreme cases where students, parents and teachers could have a viable claim directly against PowerSchool. I understand there is one putative class action pending, started by a Calgary law firm. And this would be in addition to the at least 55 class action lawsuits filed in the United States by American plaintiffs.

What digital sovereignty? How a Canadian Court is forcing a French company to break French law

2025-12-05T17:00:00.001-04:00

Just recently, I heard about a very significant new decision from the Ontario Court ofJustice, where a judge in Ottawa ordered OVHcloud in France and its Canadian subsidiary to hand over user data stored in France, the UK, and Australia. While Canada is focusing a lot of attention on “data sovereignty”, this decision should get a lot more attention, particularly because the Canadian court is ordering the French company to violate a French law that is designed to protect France’s data sovereignty.

I regularly deal with situations like this in my law practice, where I assist companies in responding to police demands for user data. But rarely does it get to this point, and I’m afraid this sets a very negative precedent.

This case touches on jurisdiction, cross-border data, foreign blocking statutes, and the limits of Canadian investigative powers. It also relies heavily on the controversial Brecknell decision from British Columbia — and I have some things to say about that.

Let’s walk through the case, and then I’ll explain why I think the analysis in the decision goes off the rails.

This case arises out of a national security investigation. The RCMP obtained a Production Order under the Criminal Code s. 487.014, requiring two companies to produce customer information linked to four IP addresses. The two companies are OVH Group SA (a French company that provides cloud computing services globally, OVH’s Canadian subsidiary, Hebergement OVH Inc.

All of the IP addresses were hosted outside Canada — in France, the UK, and Australia. The data sought included subscriber information and metadata, but not the content of any communications.

They argued that they did not have the data. It was held by the French parent company. They are the operating company in Canada that apparently runs servers here for the global business. They don’t manage global accounts or have access to the records that the police were looking for. OVH Canada did not oppose the order as it applied to OVH Canada on any jurisdictional basis. They are a company that has offices, employees and facilities that operates within Canada.

The real issue was the attempt to compel the French parent company — a company with no physical presence in Canada — to produce data stored entirely abroad, and that is subject to foreign laws.

The parent company said:

● “We don’t operate in Canada.

● We don’t store this data in Canada.

● OVH Canada doesn’t control this data.

● French law — specifically the French blocking statute — prohibits us from producing it. (more about that blocking statute later)

OVH also pointed out that the proper, internationally-recognized channel for this type of request is through Mutual Legal Assistance — the MLAT process — which France said it would expedite. Yes, Canada and France have a treaty under which both countries have agreed to manage situations like this. It’s slower because it contains checks and balances. First Canada has to determine if the request is appropriate, and then France reviews the request before getting a French order to provide the data.

The Crown responded that:

● OVH Parent has a “virtual presence” in Canada, and based on the Brecknell case from BC, and cases following that, a “virtual presence” is enough.

● The company “presents itself” as a unified global enterprise on its website

● OVH Canada has previously responded to production orders about foreign IP addresses

● The French blocking law is rarely enforced

With those facts on the table, the Court had to decide: Does a Canadian criminal court have jurisdiction over OVH’s French parent? And even if it does, should the order be revoked because of conflicting French law or because MLAT is the proper mechanism?

The Court framed five issues:

Did OVH Canada have “possession or control” of the data?
Did the Court have jurisdiction over OVH Parent?
Would French law prohibit disclosure, triggering s. 487.0193(4)(b) - which justifies varying or revoking a production order where the data is “otherwise protected from disclosure by law”?
Should MLAT be required in these circumstances?
If French law applies, should the Court exercise its discretion to revoke or vary the order?

The first Question is whether OVH Canada has “Possession or Control” of the data

With respect to possession or control, the Court found that OVH Canada had enough of a connection to the information — including prior instances where it assisted police, and the ability to preserve data — to justify the authorizing judge’s conclusion that it had “possession or control.”

The second question was whether there was jurisdiction over OVH Parent

Regarding jurisdiction over OVH Parent, relying heavily on the Brecknell, Love, and textPlus decisions, the Court held that:

● A company may be subject to Canadian jurisdiction without physical presence

● A “virtual presence” or “real and substantial connection” can be enough

● OVH operates data centres in Canada

● OVH’s website presents itself as a unified global business

● Therefore, the French parent was sufficiently connected to Canada

The third question was about the effect of the French Blocking Law

The Court accepted French government statements that the French blocking law applied, but it found it could be largely disregarded because (a) The law has been rarely enforced, (b) There is no “real risk” of prosecution, and (c) Courts in other countries have treated it as an “empty vessel”. Yup. It’s a law but let’s largely ignore it.

The next question was whether the police should go through the mutual legal assistance process instead of a production order. The judge held that the MLAT is not mandatory, it can be slow and it is not mutually exclusive with domestic orders. The police can choose door A or door B. Their call.

In the final step, about discretion, the judge upheld the production order against both OVH Canada and the French parent, concluding that: (a) OVH Parent has a real and substantial presence through its “virtual presence” in Canada; (b) The risk under French law is minimal, and (c) The national security interest outweighs comity concerns.

In a nutshell, that’s what the court decided. And I think it’s deeply flawed.

There are, in my humble opinion, major problems with this decision. And they don’t just affect OVH Parent. It will have a big impact on Canada’s own attempts to assert data sovereignty.

The first problem is following the BC Court of Appeal decision called Brecknell

The Court relies on Brecknell as though it stands for a broad doctrine that Canadian courts can compel any foreign service provider operating online to disclose foreign-hosted data as long as the company is “virtually present” in Canada.

Brecknell is a 2018 case from the British Columbia Court of Appeal. In that case, the police wanted some data from Craigslist. They contacted Craigslist, who said “come back with a production order and we’ll happily give you the data.” So the police go to the court to get their production order and the court says that it can’t issue a production order directed at a company outside of Canada. So the police go to another court and get the same answer. So the police appeal that, and end up in the British Columbia court of appeal. The British Columbia Court of Appeal said that Canadian courts can issue production orders naming companies outside of Canada, as long as they have a “virtual presence in Canada.”

But in the Brecknell case, Craigslist — the target of the order — had already agreed it would comply with Canadian court orders. Through counsel, Craigslist said: “If we get an order, we will respond.”

This is not a small detail. This is the very foundation of jurisdiction in that case.

In other words: Craigslist voluntarily accepted Canadian jurisdiction.

With that fact, jurisdiction really should not have been an issue. Craigslist said “we have the data, just bring us a production order.”

This is not the situation with OVHcloud. OVH France explicitly said:

● We do not accept jurisdiction

● And we are prohibited by foreign law from producing it

OVH Cloud also said, we have the data and we will preserve it for you so you can get it through the established, diplomatic, country-to-country channels.

I am of the view that Brecknell was wrongly decided and this entire line of cases is problematic. We’ve gotten here, I think, they are largely “ex parte” appeals. Craigslist was not at the hearing for the production order. They were not at any level of court. Until the court of appeal, it was just the cops and the prosecution arguing for jurisdiction. At the court of appeal, an amicus was appointed who did a commendable job.

This line of cases also reaches the conclusion that this is the sort of situation that production orders are designed to address. And they are partially right, but again they suffer from generally only hearing from prosecutors on these questions.

The idea behind a production order is that the court can order someone to hand over data or produce data. It is distinct from a search warrant, where the court clearly has to have jurisdiction over the place to be searched and the police need authority as police officers to search the place. Places are physical. There is no way under recognized international law for a judge in Ontario to give the RCMP in Ontario a warrant to search premises in France for these records. If they were to show up in Paris with their warrant, they’d likely be arrested by French police for trespassing. And we’d have an international incident. It would be the same as sending the RCMP to France to arrest someone without the cooperation of the French government. It’s just not done.

Production orders were created so that a person or entity within the court’s jurisdiction can be ordered to produce a record that is under that person’s control. And that generally operates regardless of where the record is. But this depends on the person being within the court’s jurisdiction. It’s a great alternative to a search warrant because it’s not based on the police searching for something, but telling a person to provide data that they control.

A key principle of international law as applied in Canada is that Canadian law does not operate extraterritorially unless Parliament explicitly provides for it. The B.C. Court of Appeal in Brecknell did note this at paragraph 23, but failed to identify any parliamentary signal indicating that production orders were intended to have effect on persons wholly, physically outside of Canada.

[23] The need to interpret the section in light of restrictions placed on extraterritorial effects is uncontroversial. The fundamental principles were canvassed in R. v. Hape, 2007 SCC 26. There, Justice LeBel identified a number of settled but important principles. First, customary international law, which has been adopted domestically, limits the actions a state may legitimately take outside its borders. Customary international law is based on respect for the sovereignty and equality of foreign states. Sovereign equality commands non‑intervention and respect for the territorial sovereignty of foreign states. Nonetheless, Parliament may legislate “extraterritorially” in violation of those principles provided it does so expressly: see paras. 35‑46.
...
[30] The section is silent on issues to do with extraterritoriality, and it is silent on any question dealing with the location of the documents. Section 487.019(2) may offer some assistance by stipulating that, unlike search warrants, the order has effect throughout Canada without requiring endorsement if executed in another jurisdiction. The section reads:
487.019(2) The order has effect throughout Canada and, for greater certainty, no endorsement is needed for the order to be effective in a territorial division that is not the one in which the order is made.
It appears to me that this section is addressing a difference between search warrants and production orders. It does not directly deal with extraterritorial issues.

The only mention of territoriality in the Criminal Code production order provisions is confined to saying that they operate throughout Canada. That seems to me to be a signal in the other direction. That’s parliament saying this is confined to Canada.

The notion of a "virtual presence" was an invention of the Court of Appeal and is contrary to existing principles of international law. Even under the more flexible civil rules, the Supreme Court of Canada has cautioned that "carrying on business" requires some form of actual, not only virtual, presence in the jurisdiction. And public international law - such as criminal jurisdiction - is different from private international law such as determining where a plaintiff can bring a lawsuit.

The Brecknell court wrongly disregarded the inability to enforce the order against a company like Craigslist. The issuance of a production order extending outside Canada is an exercise of enforcement jurisdiction, which violates international law and Canadian domestic law absent clear authority from Parliament. The difference between an “order” and a “request” is the ability to put someone in the defendant’s dock for not following it. A Canadian production order directed at a non-Canadian company has a real potential to offend comity and the other country’s sovereignty.

So what about Mutual Legal Assistance Treaties (called MLATs)? These are the existing, agreed-upon mechanism for Canadian police to obtain data from non-Canadian companies. In circumstances where an order might offend comity and sovereignty, MLATs are how countries decide to deal with the issue.

The effect of privacy laws or blocking laws were not at issue and were not considered – but probably should have been – by the Brecknell court.

In the OVH case, the court refers to the case of The Queen and Love from the Alberta Court of Appeal (R v Love, 2022 ABCA 269), which was a case dealing with the admissibility of data that had been produced by Facebook from the US pursuant to a production order. It was not an application to vary or revoke an active production order. The Love court followed Brecknell. Again, what’s missing is the fact that Facebook provided the data pursuant to that order. Their policy – like most big US tech companies – is that they will follow Canadian legal processes voluntarily where they can do so consistent with their obligations under US law. By and large, Facebook’s voluntary cooperation should have made jurisdiction a non-issue in that case.

The OVH judge also refers to a case involving TD Bank from Quebec (Banque Toronto Dominion c. Cour du Québec, 2025 QCCS 2094). In that case, a big issue was whether TD Bank in Canada could be ordered to produce records held by one of its foreign subsidiaries. The Court concluded it had sufficient control over the subsidiary to require the production of the records. That’s the inverse of the relationship between OVH Canada and OVH Parent. A subsidiary does not control the parent company.

So to use Brecknell as if it resolved this question is — frankly — a misreading of the case.

Problem 2 — The Court Treats Ordinary Corporate Structure as a Legal Fiction

In addition, the decision disregards the fundamentals of second year law school “Business Associations” to treat OVH as effectively one entity, leaning heavily on:

● OVH’s branding

● The fact “it” has data centres in Canada

● The “collaborative language” on its website

● Shared legal services

● The appearance of a global enterprise

But this misunderstands how multinational cloud companies operate and how corporate law applies.

I sometimes think that some practitioners who spend all their time focused on criminal law forget the fundamentals of corporate law.

Corporations are separate legal persons. Subsidiaries are not automatically global agents of the parent company. And cloud marketing — “our global infrastructure,” “our data centers around the world” — is not a legal admission of control. It’s marketing.

Corporations are separate legal persons and this corporate separateness is generally only disregarded where there is actual fraud going on.

If courts treat branding copy as determinative of “control,” then:

● Any cloud provider operating in Canada

● With foreign infrastructure

● Could be compelled to produce foreign data

● Regardless of its actual legal authority to do so

This collapses corporate separateness in a way that is deeply inconsistent with both Canadian corporate law and international norms. Which leads directly to the next problem.

The Court points to a previous investigation where OVH Canada provided subscriber information for a German-hosted IP address to suggest that OVH Canada effectively has access and control over it.

But OVH explained — and this is common across the industry — that:

● The Canadian subsidiary assisted because doing so was legally safe

● There was no blocking law that stood in the way

● The foreign affiliate voluntarily cooperated

This demonstrates cooperation, not control.

Access that is permitted by a foreign affiliate is not evidence of legal authority to compel access.

If you need a particular tool for a project, and I don’t have one but my parents do, I may facilitate YOUR borrowing it from MY parents. That doesn’t mean I have control over that tool.

OVH Canada receives a production order for data that is under the control of its parent company. Rather than say “go to France”, OVH Canada facilitates the parent company producing the data in circumstances where it is lawfully able to do so. It’s called being helpful, and should not lead to the conclusion that the subsidiary has any possession or control of data that’s entirely in the possession and control of the parent company.

By treating occasional past cooperation as proof of control, the Court dramatically expands what “possession or control” means. After this, it would be prudent for the Canadian subsidiary of a foreign corporation to tell Canadian police to just go pound sand, rather than facilitate matters through internal channels.

This is perhaps the most troubling aspect of the decision: The Court Minimizes Foreign Law Because It’s “Not Enforced”

The Court acknowledges that the French blocking law applies. The French government — through the “Service de l’information stratégique et de la sécurité économiques” (SISSE) — which administers and enforces this French law explicitly said so.

But the judge concluded it doesn’t really matter because the French law is apparently rarely enforced, the Canadian prosecutors said there’s no “real risk” of prosecution and other courts have treated it as an “empty vessel”.

I think this approach is dangerous.

The rule of law depends on courts respecting what the law is, not how often a prosecutor decides to enforce it. A foreign state’s policy choices about enforcement:

● Do not change the meaning of the statute

● Do not change OVH’s legal obligations under French law

● Do not give Canadian courts authority to override foreign legislation

A law is a law. I know dozens of Canadian laws that are rarely enforced, but they still need to be followed. Remember, this is a Canadian court shrugging off a law duly enacted by an allied country, France.

If Canada wants foreign law to bend, the proper channel is MLAT — a mechanism built through mutual consent — not unilateral judicial action.

International comity is built on reciprocity. If Canada orders French companies to violate French law, then:

● Other countries may order Canadian companies to violate Canadian law

● Canada will have no principled basis to object

● Global cloud providers will face impossible conflicts

● And privacy for Canadians abroad will be weakened

Remember, this is happening at the exact time that the Canadian government is focused on Canadian “Digital Sovereignty”. We would find it incredibly offensive if a French or Chinese court were to order a Canadian company, in Toronto, to violate Canadian law.

MLAT exists precisely for situations where:

● The data is located abroad

● A foreign statute prohibits disclosure

● And the foreign state must authorize or supervise the production

France explicitly told Canada it would expedite the MLAT request. Refusing to use MLAT because it might be slow is not a justification for disregarding foreign law. In this case, there is no doubt that the data exists, that France will provide it via the MLAT and will do so speedily. Ordering OVH in France to break French law is unnecessary, unreasonable and – in my view – gratuitous.

This decision is important, but in my view, it’s also misguided.

By stretching Brecknell beyond its facts, by treating global branding as evidence of legal control by a local subsidiary, by using past cooperation as proof of present authority, and by dismissing binding French law because it’s “not vigorously enforced,” the Court has weakened the principles of comity, corporate separateness, and legal certainty.

While Canada is getting excited about “digital sovereignty”, the RCMP, these prosecutors and the court are disregarding France’s explicit law about its own “digital sovereignty.” This is a dangerous precedent to set. After this, why would France give a toss about Canadian laws designed to protect Canadian data?

There is a lawful path — MLAT, letters rogatory, diplomatic channels — and international cooperation depends on states using those channels rather than overriding each other’s laws.

And one important thing to remember: OVH is not suspected of committing any crime. It simply has records about someone that may be relevant for a Canadian investigation. It is not hiding behind a veil of French law to shield itself from liability. It is an entirely innocent third party that is getting dragged into a Canadian investigation, and is now being ordered to violate the law in the country where they are based. And that order is entirely unnecessary, since France and Canada have already negotiated a clear path to get access to this data without violating anyone’s laws.

I understand the case is being appealed – and rightly so. I’ll be keeping an eye on it.

Is Lawful Access Back? With comments on the govt's' disinformation-filled attempt to revive it

2025-11-22T18:00:00.004-04:00

On November 19, senior government MPs on the “crime file” held an unexpected press conference that suggests the government is looking to pull lawful access back from the grave. This press conference was full of misinformation and half-truths about the current state of the law and the government’s proposals.

You may recall that the government introduced Bill C-2, the Strong Borders Act as its very first substantive bill in Parliament following the recent election. It seemingly came out of the blue and its proposed changes to the law related to law enforcement and national security access to information were roundly condemned. As a result, the bill has languished and has not been referred to committee.

In another strange move, the government tabled a new bill (Bill C-12) that essentially was the Strong Borders Act but without the lawful access parts, apparently so they can fast track the other parts of Bill C-2. The new Bill C-12 is currently being considered by the House of Commons Standing Committee on Public Safety and National Security.

Most of us assumed that was the end of lawful access. Apparently not.

Earlier this week, Public Safety Minister Gary Anandasangree, Transport Minister Steve McKinnon, Secretary of State for Combatting Crime MP Ruby Sahota held a press conference defending “lawful access” and calling for the Conservatives to get onboard. If it hadn’t been for Michael Geist’s eagle-eyed attention to this topic, it might have been completely missed. The full press conference is on YouTube and I’ll link to it below.

The press conference was filled with misinformation about their own proposals and about the current state of the law. There are some things that are defensible, but they just can’t get out of their own way. Having watched it a couple of times, it was like they really don’t know much about their own bill or how law enforcement currently operates.

Everything said in the press conference seemed to relate to the provisions in Part 14 of Bill C-2, which are principally new demands and orders for customer information. I did not hear anything said that was a clear reference to Part 15 of Bill C-2, which would create a whole new law called the “Supporting Authorized Access to Information Act”. And what’s also weird about that is the politicians there are associated with the Department of Public Safety, which we are told is the author of Part 15. Part 14 of Bill C-2 was written by and is the responsibility of the Department of Justice, which was absent from the press conference.

The press conference was full of confused political puffery. And some statements were entirely incorrect and would leave any viewer misled. They accused others of engaging in dispensing misinformation, which is just rich.

They repeatedly said that the new tools for law enforcement have judicial oversight. Here is Secretary of State for Combatting Crime MP Ruby Sahota:

“They have also made it extremely clear that these tools are not warrantless surveillance. They are used with judicial authorization and clear legal thresholds, including modernized production and (...) preservation orders, clarified duties for surveillance providers, and access to basic subscriber information only on judicial order with strong safeguards.”

I assume instead of “surveillance providers”, she meant to say “service providers”.

“Bill C2 gives police the tools they need with oversight Canadians expect.(...) Judicial authorization,(...) clear legal thresholds, strict limits on what can be accessed and when, and no warrantless surveillance full stop.(...)”

The WARRANTLESS information demand is just that. No warrant. No judicial authorization required.

They said that we’re just talking about getting customer names and addresses, so no big deal.

“We're trying to connect phone numbers to names and addresses, and then judicial authorization would have to get involved even further in order if that person was a suspect and we needed further information. So it's not about encrypted, you know, data or information. It is about connecting a name or an IP address to a phone-- to an-- I mean, an IP address or a number to a name and an address. That's all this is about.”

This also is incorrect and significantly misleading. Customer names and addresses from telcos are certainly “in scope”, but these provisions are not at all limited to telcos. This applies to anyone who “provides services to the public.” You know who also provides services to the public? Your doctor. It can be used with telcos, and it can be used with your doctor’s office.

And it’s not limited to “customer names and addresses”. Creates a mandatory disclosure of “subscriber information” that is defined so broadly that it includes ALL “information that the subscriber or client provided to the person in order to receive the services”. Yes, that’s the medical history form you filled out when you first visited the clinic. It includes the types of services the clinic provided to you and information about any specialists you were referred to. The scope of this is breathtaking. It does require judicial authorization, but with the lowest burden of proof our legal system has. Something just more than a hunch. And the judge can’t say “hey, all you need is a name and address” so we’ll limit the order to that. Nope, the order is for all SUBSCRIBER INFORMATION.

And there was also some horrific misinformation about the tools the police currently have to do their jobs.

“The regime we have today is unacceptable. So I'd like to share some examples so that I can bring the issue to light. I find that there's not been a lot of coverage on extortion, but you've definitely been hearing about it in the House. That's because many of our communities are suffering from these cases. And what's unacceptable right now is it taking six months for the police to be able to get judicial authorization, to be able to connect a phone number to someone who's extorting an individual in my riding, who has been out of their home because their home has been shot up and it's dangerous for their kids to live there. They can't go to school in a regular routine. They can't operate their business. And that's unacceptable. And I believe in Canada, our law enforcement should have the capabilities of being able to track down violent criminals such as these.”

I am sorry. If it is taking the police six months to get a warrant after a house has been shot up … the police simply are not doing their jobs and are not using the tools they currently have. A police officer in a squad car can pick up the phone and get a production order, if circumstances exist for dispensing with the formalities of a personal appearance before a justice of the peace.

The Honourable Ruby Sahota is the MP for Brampton North Caledon in Ontario. The local police of her jurisdiction is the Peel Regional Police. I’ve seen many production orders obtained by officers in the Peel Regional Police. I really, really doubt that it takes six months of effort to get a production order. Most of them are issued within a very short period of time from the alleged offence. Just for illustration purposes to find something on the public record, I did a really quick search in a public legal database and found a case from Brampton that will illustrate the current process. The case is called R v Owen, 2017 ONCJ 729.

The investigation began on March 23, 2015 of an unknown individual suspected of downloading images of child abuse. They had an IP address connected with the suspected crime, but didn’t know who it was connected to. They could determine the internet service provider. After some investigating, the Peel Police sent a preservation demand to the internet service provider, requiring the ISP to preserve the account information while they got a production order. On April 7, they applied for a production order to get the customer name and address from the internet service provider. The order was issued the next day. Less than a week later, on April 17, the internet service provider provided the information. Three days after that, on April 20, the police had a warrant to search the home. (I should note that the reason why the Owen decision goes into so much detail was that the production order and the search warrant were thrown out because the police misled the court in getting them.)

But setting that aside, that’s nowhere near six months. The laws in effect in 2015 are essentially the same laws we have now, that the government wants the police to be able to side-step. Suggesting it takes six months to get a production order is an outrageous statement from the “Secretary of State for Combatting Crime.” It’s so outrageous that I assume it’s an outright lie.

Here’s what’s currently in the criminal code, which authorizes the cops to go to a judge and get an order for customer name and address – or any other information – if they have reasonable grounds to believe an offence has been committed and the addressee of the order has the data. What’s proposed in Bill C-2 is an order based solely on a hunch – reasonable grounds to suspect an offence has taken place. And the scope of the production is much broader. Fewer grounds and more information.

Look, if the government thinks their proposal has merit and should proceed through parliament, they should be prepared to actually justify the new powers. And they should do it with facts and not political puffery or straight BS.

I will assume – at least for now – that the Minister of Public Safety is being honest when he acknowledges that the current bill is flawed and is willing to listen to feedback to make it acceptable:

“Um, it is not a perfect piece of legislation. So, we are open to to uh to feedback from uh from our partners, from uh uh from civil liberties groups, from other uh entities that may have an interest um in this area. And we will work across party lines to make sure that we have consensus on on having a lawful access regime that is acceptable to Canadians.”

I’ll link below to my previous episodes where I discuss, in some depth, Part 14 and Part 15 of Bill C-2, in case you want the straight goods on what’s in the Bill. So far, nobody has accused me of making stuff up.

My previous video on Part 14 of Bill C-2: https://youtu.be/wOgo4TuoJec

My previous video on Part 15 of Bill C-2: https://youtu.be/E1LV2fcD9Bs

Online reviews and privacy claims: Lessons from RateMDs v Bluler (BCCA)

2025-11-16T10:10:00.004-04:00

Can a doctor claim a privacy violation because a website creates a profile for them using public information, hosts anonymous reviews, and ranks them against their peers?

The British Columbia Court of Appeal says no in RateMDs Inc. v. Bleuler, 2025 BCCA 329. Let’s walk through what happened — and what this means for privacy in Canada.

Let’s start with the background to this case.

RateMDs.com is a website where people can look up health professionals, read and post reviews, and compare ratings. You’ve probably seen it — you search for a physician, and you get their name, their contact information, their ratings, and often a long list of anonymous comments.

Dr. Ramona Bleuler, a BC physician, discovered that RateMDs had created a profile for her. She didn’t ask for it. She didn’t consent to it. And she couldn’t remove it.

The platform listed her name, her professional contact information, a list of reviews from anonymous users and a comparative ranking of doctors in her specialty and geographic region.

RateMDs also offers paid subscriptions that allow physicians to hide a limited number of reviews. Dr. Bleuler wanted to start a class action on her own behalf and on behalf of other physicians in Canada who had listings on RateMDs.

Class actions – at least in Canada – have specific procedures, which require that the class action be certified before it can go ahead. There are a number of things the court must look at pursuant to the Class Proceedings Act, but the most important question for our analysis here is whether the pleadings disclose a cause of action. When you read the pleadings, and assume that the facts are true and provable, is there an actual legal claim there? This is a screening function to weed out any legal claims that are bound to fail, and the court is only supposed to examine the facts alleged in the statement of claim.

This case principally turns on whether the legal claims made by the representative plaintiff are viable.

So the plaintiff sued RateMDs and its parent company under the provincial Privacy Act. She said that by creating a profile for her, hosting reviews, and ranking her relative to her peers, RateMDs violated her privacy.

She wasn’t claiming that specific reviews contained private information. She wasn’t arguing defamation. Her claim was broader: she said the very act of aggregating, hosting, and ranking health professionals without their consent violated privacy law. In particular, the plaintiff was relying on the statutory privacy torts created by the legislatures of British Columbia, Saskatchewan, Manitoba and Newfoundland. The proposed class would be physicians who reside in those provinces. The plaintiff also tried to rely on Quebec’s privacy statute, but that part wasn’t allowed to proceed in the lower court.

She relied on two sections of the British Columbia Privacy Act, and their equivalents in the other provinces.

First, section 1, which creates a tort — actionable without proof of damage — where a person ‘wilfully and without claim of right’ violates the privacy of another.

Violation of privacy actionable
1 (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.

Second, section 3(2), which prohibits the unauthorized use of someone’s name or portrait for the purpose of advertising or promoting the sale of goods or services.

Unauthorized use of name or portrait of another
3 (2) It is a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services, unless that other, or a person entitled to consent on the other's behalf, consents to the use for that purpose.

Her argument was that RateMDs is a commercial enterprise. The profiles draw traffic, the reviews attract users, and the rankings keep people engaged. Because this commercial model depends on using doctors’ names and contact information, she said this amounted to both a privacy violation and commercial exploitation of identity.

The BC Supreme Court agreed the case should go forward. The judge certified the class action. I have to emphasize that this was only based on the pleadings and the court was essentially saying that the claims looked viable, but that didn’t mean the plaintiffs would win at any eventual trial.

But RateMDs appealed. And at the Court of Appeal, everything changed.

The Court of Appeal approached the case by asking the basic but crucial question: Even assuming all the facts in the claim are true, is there a viable cause of action under the privacy statutes?

Again, this is a threshold question in class action certification. You don’t look at evidence. You look at the pleadings. You ask whether the claim has a reasonable chance of success.

A claim can be novel — that’s okay. But if it’s doomed to fail, the court must strike it.

Here’s the heart of the Court of Appeal’s reasoning:

At least for the purposes of a civil claim, privacy starts with identifying private information. And the claim failed at this starting point.

The Court of Appeal said:

● A doctor’s name is not private.

● Professional business contact information is not private.

● Reviews written by patients about a doctor’s professional services are not private.

● Rankings based on those reviews are not private.

The Court emphasized that privacy law protects reasonable expectations of privacy. And when someone is carrying out professional, public-facing work, the threshold for privacy protection is different.

The Court relied on earlier BC cases — including Niemela v. Malamas — which held that complaints about how a lawyer performs their work do not attract a reasonable expectation of privacy. Professional reputation is not the same thing as privacy.

The doctor tried to frame her privacy right as a right to control how information about her was used. But the Court said: control only exists if there’s a privacy interest in the underlying information. If the information is not private, there is nothing to control. Or at least privacy torts don’t leap in to give you that control.

For privacy lawyers, this is an important clarification: The BC Privacy Act protects privacy, not reputation, and not personal preference about the use of publicly available professional information.

The Court concluded that because there was no reasonable expectation of privacy in the information posted on RateMDs, the privacy claim under section 1 was bound to fail.

The Court also noted an important distinction: This case wasn’t about whether any particular review contained sensitive information. The plaintiff expressly disclaimed that argument. She said the content didn’t matter — only the existence of the profile and the ranking system did.

The Court said that privacy law doesn’t work that way. You can’t claim a violation based on a website compiling publicly available information unless there’s some private content involved.

So the broad theory — that creating a profile and ranking professionals without their consent is itself a privacy violation — was rejected. There would have to be something more … and in this case, there was not.

The BC Supreme Court judge had relied in part on the rules governing how health professionals can advertise. For example, doctors can’t use testimonials. They can’t compare themselves to colleagues. The judge below thought this regulatory context created a privacy interest.

The Court of Appeal disagreed.

Those rules regulate doctors. They do not regulate third-party websites. They do not create privacy rights. And they do not convert publicly available information into private information. The Court of Appeal wrote at paragraph 98: “However, the interest of provincial regulators in restricting advertising by health professionals has no obvious connection to the respondent’s asserted privacy interest. The regulatory concern is to protect the public, not to protect the privacy of health professionals. That regulatory interest has nothing to do with the plaintiff’s reasonable expectation of privacy.”

So the regulatory framework could not be used to manufacture a privacy interest where none otherwise existed.

Next, the Court examined the claim under section 3(2) — unauthorized use of name or portrait for advertising.

This is the ‘misappropriation of personality’ tort. It typically covers: (a) using someone’s name or image in an ad, (b) using a person’s likeness to promote goods or services or (c) endorsements without consent.

RateMDs wasn’t using doctors’ identities to advertise or sell anything in the sense required by the statute. It was running a platform where reviews are posted and accessed. Running a commercial website that uses names in this manner doesn’t cut it. That’s not the kind of commercial exploitation section 3(2) is meant to capture.

So the Court of Appeal found that the claim under section 3(2) was also doomed to fail.

With both privacy causes of action rejected at the threshold stage, the Court of Appeal allowed the appeal, set aside the certification order and dismissed the action entirely. This was a complete win for RateMDs.

What are the broader implications?

First, the Court drew a clear boundary around privacy law: You can’t use privacy torts to challenge the existence of a professional review platform.

Second, the decision reinforces that privacy torts require a reasonable expectation of privacy in identifiable, specific information. That expectation must be grounded in: (a) the nature of the information, (b) the specific context, and (c) established privacy norms.

Third, platforms that rely on publicly available, professional information to generate profiles or rankings are, at least under BC’s statute and its equivalents, unlikely to face successful privacy claims — unless they publish actually private or sensitive data.

Fourth, the Court left open — deliberately — that if a review leaks confidential information or medical information, that could be a privacy violation. But that’s not what this case was about.

Finally, this is a reminder that privacy law is not a catch-all remedy for online reputational harm. Other legal avenues may exist such as defamation — but the privacy tort has a defined scope.

A last thing to note, which is important, is that this decision was made in the context of privacy torts – civil claims for invasion of privacy or use of image and likeness. Under our more general privacy statutes, such as the Personal Information Protection and Electronic Documents Act, whether information is “personal information” – and thus whether the statute applies to it – does not depend on whether the information is “private” or the “confidentiality” of the information.

A person’s name is subject to those laws, but may simply be less “sensitive”. Though a lot of the same principles may be in play, one should always be cautious about assuming that what a court says in the tort context will apply directly to our commercial privacy laws.

Nova Scotia's new Freedom of Information and Protection of Privacy Act (Bill 150)

2025-11-09T20:48:00.001-04:00

In just the past month, kind of unexpectedly, the Nova Scotia government introduced and passed a new public sector privacy and access to information law that completely replaces the existing Freedom of Information and Protection of Privacy Act (known here as “FOIPOP") with a new law that will come into effect in April of 2027.

This isn’t completely out of the blue because the Nova Scotia government has been “reviewing” FOIPOP since 2022, but unlike in most provinces it has been “behind the scenes”. Unlike other provinces, which have public consultations, Nova Scotia’s consultation on transparency was behind closed doors.

I wrote to the then Minister of Justice seeking to participate on behalf of the Nova Scotia branch of the Canadian Bar Association’s Privacy And Access Law Section. The CBA was never invited to chat. I wonder who else commented. We were told that the results of this review would be made public, but they never were. All we got was Bill 150, dropped in the legislature on September 26 and passed on October 3. There was no real opportunity given for privacy and access to information experts to appear in committee with their comments.

In this episode, I’m going to do a relatively high-level overview of what’s changing with the new FOIPOP that will come into effect in 2027. There’s some good, some bad and some changes that I’m indifferent to. I hope I can provide a relatively unbiased view of it, given that I do legal work for applicants who are seeking access to records, for public bodies who have to comply with the law and third parties whose records held by public bodies are sometimes the subject of access requests.

There’s a big change to the purposes clause of the law. The original FOIPOP was relatively unique among access to information laws in Canada in that it clearly had as its intent full transparency, accountability and access – as fundamental to how democracy should work.

The purpose clause in the current act includes:

2. The purpose of this Act is …

(b) to provide for the disclosure of all government information with necessary exemptions, that are limited and specific, in order to
(i) facilitate informed public participation in policy formulation,
(ii) ensure fairness in government decision-making,
(iii) permit the airing and reconciliation of divergent views;

That part is gone. Just removed. The leader of the opposition made a motion to have it returned, but the motion was defeated.

That’s too bad. The purpose clause is important in how regulators and courts approach the law, and future governments will be able to say it was removed for a reason and that should influence how it is interpreted. That’s a real step backward.

As I said, the new Act fully repeals and replaces the earlier statute. It restructures the entire Act into clear Parts (e.g., Part I – Freedom of Information; Part II – Protection of Privacy; Part III – Reviews and Appeals; Part IV - Information and Privacy Commissioner), and has a number of standardized definitions for consistent terminology (like “access request,” “correction request,” etc.), and procedural timelines are now measured in business days rather than calendar days. This will draw out access requests. Previously, the public body had thirty days; now it’s thirty business days. That’s thirty five percent longer. Easier on the public body, to be sure, but it will mean it takes longer to get requested information from public bodies.

An important change in the new FOIPOP is that it will include municipalities. The Commissioner's jurisdiction is significantly expanded through the consolidation of provincial and municipal regulation. Specifically, the new Act repeals Part XX of the Municipal Government Act and integrates municipalities and municipal bodies into the general FOIPOP framework. Part XX of the MGA was generally a mirror of FOIPOP, but with some significant differences. Bringing municipalities into FOIPOP means the Commissioner now has explicit and uniform jurisdiction to conduct reviews and investigations involving municipal units. The Review Officer's previous roles in handling appeals related to access and correction requests are maintained, but the new Act formalizes two new categories of complaint investigation called Privacy Reviews. These reviews can be initiated by individuals who believe their personal information was collected, used, or disclosed in contravention of the Act, or proactively by the Commissioner if there are reasonable grounds to suspect a contravention.

One of the most important changes is that the former “review officer” is now the Information and Privacy Commissioner of Nova Scotia, and will be an officer of the Nova Scotia House of Assembly. While still appointed by the Governor-in-Council, this position is much more independent of government than under the present Act. A big miss, at least as far as critics are concerned, is that the Commissioner does not have the ability to issue binding orders on public bodies. That position still just issues recommendations, and it’s up to applicants to go to court to get orders.

The 2027 Act introduces or revises numerous definitions, including “Personal information” which now explicitly includes IP addresses, biometric data, and genetic characteristics, while excluding business contact information.

In the part of the Act related to the right of access to public body records, changes clarify that the right of access extends to records in custody or control of a public body, but not to duplicates or exact copies. It says that part of a record that can be withheld and can be reasonably severed, access must be provided to the remainder of the record.

Not surprisingly, the amendments made earlier this year related to frivolous, vexatious and unduly repetitive requests have been continued in the new FOIPOP. The Commissioner must approve a request from a public body to disregard a request, with defined criteria and 14-business-day timelines for both application and decision. It does provide applicants with a right to appeal to the Supreme Court of Nova Scotia if their request is disregarded.

Almost all the timelines in FOIPOP have been extended. All procedural periods are now in business days (such as giving a public body 30 business days to respond to an access request). It also introduces an explicit suspension of time calculations while fees are being negotiated or reviews are underway (s. 20).

The government gets to set a standard application fee pursuant to the regulations, and also sets service-based fees but exempts requests for one’s own personal information and provides 3 free hours of work time. Public bodies can charge additional fees if the request will take more than three hours. When presented with a fee estimate, applicants may narrow their requests accordingly. Once the request is being processed, a public body can provide a “revised fee estimate” that the applicant can either accept or revise their request. Fee estimates and revised fee estimates can be referred to the Commissioner.

There remains a possibility for fee waivers where disclosure serves a public interest (e.g., environment, public health, or safety), or if the applicant can’t afford to pay the fee.

One thing that is interesting and progressive: The new FOIPOP specifically says that public bodies must provide electronic records in “an electronic form that is capable of re-use”. This is positive. If the record is an Excel spreadsheet, the spreadsheet itself should be provided and not just a photocopy of the spreadsheet. (There are few things as useless and opaque as a print-out of an excel spreadsheet full of formulas.)

There are a number of changes that will restrict public and journalistic access to records. The first is an expansion of the definition of “legal privilege” to specifically include settlement privilege. And at section 86(2), the Information and Privacy Commissioner will not be able to inspect a record that is alleged to be privileged to determine if it actually is privileged. Only the Court can do that, and the process to get there can be set out in the regulations.

The second major restriction on the right to know is essentially excluding any right of access to any record that is defined as an “Executive Council record”, going well beyond what was traditionally “cabinet confidences.” To make it worse, in section 32(2), a head of a public body is prohibited from disclosing Executive Council records. There’s no discretion.

The new Act expands the privacy sections substantially and in a good way, but most of the details will have to wait until we get to see the regulations.

Every public body will have to have a privacy policy and has to publicly disclose its internal privacy-complaint process.

Once the Act comes into effect, every public body will have to carry out a privacy assessment for any new or substantially changed “project, program, system or other activity involving the collection, use or disclosure of personal information”. The details for what must be in a privacy assessment will be determined in regulations.

The new Act defines “Data-linking” programs – where two or more data sets are combined, either temporarily or permanently, and requires them to be carried out only in accordance with the yet to be seen regulations.

There are some tweaks to the rules that permit a public body to collect, use or disclose personal information. These public sector privacy laws are generally not based on consent so these rules set the guardrails for public bodies. There are new rules related to inter-agency data sharing, research, and public-interest exceptions.

There’s a new explicit authorization for disclosure to protect individuals from intimate-partner violence or human trafficking.

The new Act introduces obligations to contain, assess, and notify affected individuals and the Commissioner of privacy breaches that pose a real risk of significant harm — aligning Nova Scotia with federal PIPEDA and other provincial models.

There is a weird new provision in s. 79 that authorizes a public body to go to court if “personal information in the custody or under the control of a public body has been stolen or has been collected by or disclosed to a third party other than as authorized by this Act”. They can get an order to return or destroy the personal information, or any other order the court considers appropriate to protect the personal information.

If you’ve been reading or watching my stuff, you may recall that in 2020, the Government of Nova Scotia went to court to try to identify people who may have read unredacted Workers Compensation Appeal Tribunal decisions that were mistakenly given to the Canadian Legal Information Institute, known as CanLII, and they were posted online. I was one of the people they identified, and I was contacted by the government as part of their damage control. (Here's a video I did on that on my YouTube channel: https://youtu.be/XETVLvkksj0.)

There’s also an interesting, quirky new section that essentially says that a public body is deemed to have not “collected” personal information if it does not relate to a program or activity of the public body, and they either delete it, return it or transfer it to another public body or federal government institution if it’s relevant to the other public body or institution’s programs or activities.

Individuals still have a right to access their own information, and public bodies have an obligation to retain any information that has been used to make a decision directly affecting an individual for at least one year so the individual can exercise their access right. And also in such circumstances, the public body has to make every reasonable effort to make sure the information is accurate and complete.

While the former Privacy Review Officer Act existed separately, the new Act integrates and strengthens the privacy review powers directly within the consolidated statute, giving the Commissioner an explicit mandate to conduct Privacy Reviews. This authority can be used to investigate complaints that personal information has been improperly collected, used, or disclosed, and allows the Commissioner to proactively initiate an investigation if they have reasonable grounds to believe a contravention has occurred.

Finally, on the privacy side, the new FOIPOP revokes and replaces the Personal Information International Disclosure Protection Act or PIIDPA. That law generally prohibits a public body from allowing personal information to be stored outside of Canada or to be accessed from outside of Canada, subject to some exceptions. Under the new FOIPOP, a public body will only be allowed to store or permit access from outside of Canada in accordance with specific regulations, which we haven’t seen yet.

While the new independent Information and Privacy Commissioner is not granted the ability to issue orders or levy penalties in connection with access, correction or privacy reviews, the Commissioner does have broad powers in connection with carrying out such a review. The Commissioner can summon witnesses and compel records (other than records that are claimed to be privileged). The Commissioner can initiate a privacy review without a complaint or request if the “Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene this Part”.

The Commissioner also has an important role to play in requests that a public body thinks is trivial, frivolous, vexatious or abusive. The public body has to seek the approval of the Commissioner to disregard such requests, which is an important check to prevent the overuse of these new provisions.

Individual complainants, exercising access, correction and privacy rights, still have recourse to the Supreme Court of Nova Scotia. In most cases, that will be following a review by the Information and Privacy Commissioner, but individuals do have the right to skip the Commissioner and go straight to the Supreme Court of Nova Scotia. Once you’re in the Court, it is what’s called a “de novo” proceeding meaning that the Court will determine the matter from the very beginning. And the court can issue binding orders.

Finally, the new FOIPOP expands the number and kind of offences that can result in charges and prosecution: this includes (a) willfully collecting, using or disclosing personal information in contravention of the Act, (b) willfully attempting to gain access to personal information in violation of the Act, (c) obstructing the Commissioner and (d) destroys, alters or falsifies a record to evade a request for access to records.

So this represents a significant change to the privacy and access to information landscape in Nova Scotia. It repeals the old Freedom of Information and Protection of Privacy Act, the Privacy Review Officer Act, the Personal Information International Disclosure Protection Act and Part XX of the Municipal Government Act, replacing all of them with a new Freedom of Information and Protection of Privacy Act. As I said, it comes into effect in April 2027.

This has been a relatively high-level overview of the new Act. Each time I read it, I find something new. I would encourage folks in Nova Scotia who have an interest in access to information and privacy to review the legislation, and let the government know if it raises any concerns. Though the process to get here has been the opposite of transparent, there is an opportunity before April 2027 to amend it before it comes fully into effect.

Canada's Privacy Regulators vs. TikTok: A critical overview

2025-10-19T13:01:00.001-03:00

(This post is largely a transcript of the YouTube and podcast episode above.)

On September 23, 2025, the Federal Privacy Commissioner and his provincial counterparts in British Columbia, Alberta and Quebec issued a joint report of findings into TikTok. This is a big one. It raises some interesting — and troubling — questions about jurisdiction, children’s privacy, reasonableness, consent, and what it actually means to protect privacy.

In my view, the Commissioners have imposed an almost impossible standard on TikTok — one that, ironically, could actually reduce privacy for users. Let’s unpack what they found, and why I think they may have gone too far.

I’ll note that the finding is more than thirty pages long, with almost two hundred paragraphs. This should be treated as an overview and not a deep dive into all of the minutiae.

TikTok Pte. Ltd., a Singapore-based company owned by ByteDance, operates one of the most popular social-media platforms in the world. In Canada alone, about 14 million monthly users scroll, post, and engage on TikTok.

The investigation examined whether TikTok’s collection, use, and disclosure of personal information complied with PIPEDA, Quebec’s Private Sector Act, and the provincial privacy statutes of Alberta and B.C.

A key preliminary issue was jurisdiction.

The British Columbia Personal Information Protection Act is a bit quirky. It says

Application
3 (1) Subject to this section, this Act applies to every organization.
(2) This Act does not apply to the following: (c) the collection, use or disclosure of personal information, if the federal Act applies to the collection, use or disclosure of the personal information;

TikTok argued that because of this, only one of the Federal Act or the British Columbia Act could apply.

In my view, the response to this argument by the Commissioners is facile. They said:

[22] Privacy regulation is a matter of concurrent jurisdiction and an exercise of cooperative federalism, which is a core principle of modern division of powers jurisprudence that favours, where possible, the concurrent operation of statutes enacted by the federal and provincial levels of government. PIPA BC has been “designed to dovetail with federal laws” in its protection of quasi-constitutional privacy rights of British Columbians. The legislative history of the enactment of PIPEDA and PIPA BC and their interlocking structure support the interpretation that PIPEDA and PIPA BC operate together seamlessly.
[23] PIPA BC operates where PIPEDA does not, and vice versa. In cases such as the present, which involve a single organization operating across both jurisdictions with complex collection, use, and disclosure of personal information, both acts operate with an airtight seal to leave no gaps. An interpretation of s. 3(2)(c) that would deprive the OIPC BC of its authority in any circumstance the OPC also exercises authority is inconsistent with the interlocking schemes and offends the principle of cooperative federalism.

In my view, this has nothing to do with “cooperative federalism”. In this case, they’re waving their hands instead of engaging in helpful legal analysis. The British Columbia legislature chose to say that if PIPEDA applies, PIPA will not. This is not about constitutional law. The Commissioners could have articulated a much more clear and straightforward response to this argument: TikTok collects personal information across Canada, in BC and elsewhere. PIPA applies to “the collection, use and disclosure of personal information that occurs within the Province of British Columbia” (This is from the federal regulation regarding PIPEDA’s application in British Columbia.) So in this joint investigation, BC’s PIPA applies to the personal information of British Columbians and PIPEDA applies to the personal information of individuals outside of British Columbia. They could have said that, but they didn’t. They did say it was about “overlapping protections” and not “silos”. I think this is incorrect. The British Columbia Act and the Federal Regulation clearly say: this is “the BC Commissioner’s silo”, and this is “the Federal Commissioner’s silo.”

So, the investigation moved forward jointly, setting the stage for three major questions:

Were TikTok’s purposes appropriate?
Was user consent valid and meaningful?
Did TikTok meet its transparency obligations — especially in Quebec?

The first issue asked whether TikTok was collecting and using personal information — particularly from children — for an appropriate and legitimate purpose.

TikTok’s terms forbid users under 13 (14 in Quebec), but the Commissioners found its age-assurance tools were largely ineffective. The platform relied mainly on a simple birth-date gate at signup, plus moderation for accounts flagged by other users or automated scans.

As a result, TikTok said that it removes around half a million under-age Canadian accounts each year — but regulators concluded that many more likely go undetected.

It seems to me that terminating half a million accounts a year because they think the user may be underaged is a pretty strong sign that the company is sincere in its desire to NOT have kids on their platform.

They also noted TikTok already uses sophisticated facial- and voice-analytics tools for other purposes, like moderating live streams or estimating audience demographics, but not to keep kids off the platform. The regulators want TikTok to re-purpose these tools for age estimation.

The Commissioners found that TikTok was collecting sensitive information from children — including behavioral data and inferred interests — without a legitimate business need. In their view, that violates the “reasonable person” standard under PIPEDA s. 5(3) and the comparable provisions in the provincial laws.

This part makes my head hurt a bit. The regulators said:

[67] In light of the above (as summarized in paragraphs 64 to 66), we determined that TikTok has no legitimate need or bona fide business interest for its collection and use of the sensitive personal information of these underage users (in the context of PIPEDA, PIPA AB and PIPA BC), nor is this collection and use in support of a legitimate issue (in the context of Quebec’s Privacy Sector Act). It is therefore our finding, irrespective of TikTok’s assertion that this collection and use is unintentional, that TikTok’s purposes for collection and use of personal information of underage users are inappropriate, unreasonable, and illegitimate, and that TikTok contravened subsection 5(3) of the PIPEDA, section 4 of Quebec’s Private Sector Act, sections 11 and 14 of PIPA BC and sections 11 and 16 of PIPA AB.

It’s clear that TikTok does not want children on its platform and takes active steps to keep children off its platform. The regulators were clear that they didn’t think the measures taken were adequate, but I didn’t see them say that TikTok was insincere about this. So they find that TikTok’s purposes for collecting personal information from children was not reasonable.

But TikTok had no purposes for collecting personal information from children. If kids make it through the age-gate and don’t have their account deleted, TikTok still does not want that data. They essentially said: “Your collection of personal information that you do not want and do not try to get is unreasonable.” Ok. I guess that’s their view.

The second issue focused on consent — whether TikTok obtained valid and meaningful consent for tracking, profiling, targeting, and content personalization.

The Commissioners said it did not.

They found that TikTok’s privacy policy and consent flows were too complex, too long, and lacked the up-front clarity needed for meaningful understanding. In particular:

Key information about what data was being collected and how it was used wasn’t presented prominently.
Important details were buried in linked documents.
The privacy policy was not available in French until the investigation began.
And users were never clearly told how their biometric information — facial and voice analytics — was used to infer characteristics like age and gender.

Even for adults, the Commissioners said consent wasn’t meaningful because users couldn’t reasonably understand the nature and consequences of TikTok’s data practices.

And for youth 13–17, TikTok mostly relied on the same communications used for adults — no simplified, age-appropriate explanations of how data is collected, used, or shared.

Under the Commissioners’ reasoning, because the data involved is often sensitive — revealing health, sexuality, or political views — TikTok needed express consent. They found the platform failed that standard.

[81] Additionally, while users might reasonably expect TikTok to track them while on the platform, which they can use for “free”, it is our determination that they would not reasonably expect that TikTok collects the wide array of specific data elements outlined earlier in this report or the many ways in which it uses that information to deliver targeted ads and personalize the content they are shown on the platform. Many of these practices are invisible to the user. They take place in the background, via complex technological tools such as computer vision and TikTok’s own machine learning algorithms, as the user engages with the platform. Where the collection or use of personal information falls outside of the reasonable expectations of an individual or what they would reasonably provide voluntarily, then the organization generally cannot rely upon implied or deemed consent.

The Commissioners’ reasoning is generally coherent, but I’m not sure that it directly leads to a requirement for express consent. Consent can be implied where the individual understands what information is being collected and how it will be used, and it makes sense to take into account whether the individual expects the collection and use. The main issue here is that there was collection and use of information outside the reasonable expectations of the individual. TikTok’s data practices are part of its “secret sauce” that has led to its success. Following the reasoning of the Commissioners … if TikTok had better calibrated the expectations of its users, it could have relied on implied consent.

The Quebec Commissioner took things even further. Under Quebec’s Private Sector Act, organizations must inform the person concerned before collecting personal information.

The CAI found TikTok failed to highlight key elements of its practices and was using technologies like computer vision and audio analytics to infer users’ demographics and interests without adequate disclosure.

The CAI also found that TikTok allowed features that could locate or profile users without an active opt-in action, violating Quebec’s rule that privacy settings must offer the highest level of privacy by default.

Now here’s where I think the Commissioners overreached.

They’re effectively holding TikTok — and by extension, every global digital platform — to a near-impossible standard.

First, on age verification: to exclude all under-13 users, TikTok would need to collect more information from everyone — things like government-issued ID or facial-age scans. That’s exactly the kind of sensitive biometric data privacy regulators have previously warned against.

So in demanding “better” age assurance, the Commissioners are actually requiring more surveillance and more data collection from all users — adults and teens alike. While it may be “protecting the children”, like so many age assurance tools it is actually privacy-invasive.

Second, on consent and transparency: privacy regulators have long said privacy policies are too long, too legalistic, and too hard to read. Yet here, they criticize TikTok for not providing enough detail — for not being even longer and more comprehensive.

So which is it? We can’t reasonably expect the average user to read a novel-length privacy policy, yet that’s what these findings effectively require.

And third, the Commissioners’ reasoning conflates complexity with opacity. TikTok’s algorithms and personalization systems are complex — that’s the nature of modern machine learning. Explaining them “in plain language” is a noble goal, but demanding a full technical manual risks burying users in noise.

In my view, this decision reflects a growing tension in privacy regulation: between idealism — the desire for perfect transparency and perfect protection — and pragmatism — the need for solutions that actually enhance user privacy without breaking the internet.

The regulators seem to be demanding a standard of perfection in a messy and complicated world. These laws can be applied reasonably and flexibly.

One final thing to note: The regulators say that information provided to support consent from young people (over the age of 13 or 14) has to be tailored to the cognitive level of those young people. That means it has to be subjective, in light of the individual. But the Privacy Commissioner of Canada is arguing in the Supreme Court of Canada against Facebook that consent is entirely objective, based on the fictional “reasonable person” (who is NOT a young person). They should pick a lane.

So, where does this leave us? TikTok has agreed to implement many of the Commissioners’ recommendations — stronger age-assurance tools, better explanations, new teen-friendly materials, and improved consent flows.

But whether these measures will truly protect privacy — or simply demand more data from more users — is a question regulators and platforms alike still need to grapple with.

The words “use” and “loss” in privacy laws may not mean what you think in a cyber-security incident

2025-09-21T21:00:00.004-03:00

I want to talk about a recent decision from the Ontario Divisional Court that affirms the Information and Privacy Commissioner’s very expansive view of what counts as a “use” or “loss” of personal information under Ontario’s privacy laws. Spoiler alert: it probably doesn’t mean what you think it means.

This case came out of ransomware attacks on two organizations: the Hospital for Sick Children in Toronto, known as SickKids, and the Halton Children’s Aid Society. Neither organization’s investigation found that hackers had actually looked at, copied, or stolen personal information. But both were still found by the Information and Privacy Commissioner of Ontario—the IPC—to have breached their obligations to notify individuals. And when the case went to court, the judges deferred to the regulator. Let’s look at what happened.

In 2022, both SickKids and Halton were hit by separate ransomware attacks. If you’re not familiar, ransomware is malicious software that encrypts systems and data so that they can’t be accessed unless a ransom is paid to get the decryption key.

Here, the attackers encrypted the systems at the container level—think of it like changing the lock on a filing cabinet. The files inside were untouched, unviewed, and un-exfiltrated, but temporarily unavailable.

Both SickKids and Halton promptly investigated, brought in cybersecurity experts, and concluded that there was no evidence of any data being accessed or stolen. They even notified the IPC, though they argued this was just a courtesy because the legal requirement to notify individuals wasn’t triggered. SickKids went further, posting public updates on its website and social media. But they didn’t include the mandatory line about the right to complain to the Information and Privacy Commissioner.

The IPC saw things differently. In 2024, it issued two decisions (Sick Kids, Halton CAS) . It found that both organizations had experienced a privacy breach involving an unauthorized “use” and “loss” of personal information. The trigger is an unauthorized “use” or an unauthorized “loss” of personal information. They concluded that the information was “used” and “lost” in an unauthorized manner, triggering the requirement to report to the Commissioner and to notify affected individuals. And to advise them of their right to complain to the Commissioner.

Why? The IPC reasoned that encrypting the containers “handled” or “dealt with” the personal information inside them, making it inaccessible to authorized users. That, it said, was enough to count as a “use.” And because the information was unavailable for a period of time, that was also a “loss.”

It should be noted that encryption at the container level did not expose any personal information and did not create any sort of risk to the affected individuals once remedied.

For Halton, the IPC ordered notice to affected individuals—though by way of a website posting rather than direct notification. For SickKids, since it had already gone public, no remedial order was made.

Both SickKids and Halton challenged the IPC’s decisions in court. The Ontario Hospital Association even intervened to support them, arguing that this interpretation of “use” and “loss” would lead to pointless over-notification and compliance burdens.

Now, this is where what we lawyers call the “standard of review” becomes important. When a court reviews an administrative decision, like one from the IPC, it doesn’t just substitute its own view of the law. Under a framework established by the Supreme Court of Canada in a case called Vavilov, the default standard is “reasonableness.” That means the court will defer to the regulator’s decision so long as it is “reasonable”, meaning it is internally coherent, justified, and within the bounds of the law.

In other words, unless the regulator really went off the rails, the court won’t step in.

The Divisional Court—Judges Sachs, Lococo, and Kurke—dismissed both the judicial reviews and Halton’s appeal.

They held that the IPC had reasonably interpreted “use” to include encryption that denied authorized users access to information, even if no one else ever looked at it. They also upheld the IPC’s finding that this was a “loss” of information, again because of the temporary unavailability.

The Applicants had argued that notification should only be required where individuals’ privacy interests were actually affected—where there’s a real risk of harm, like theft or misuse. The Court rejected that. Ontario’s Personal Heath Information Protection Act and Child, Youth and Family Services Act, 2017 don’t contain a “risk of significant harm” threshold. The statutes just say notify if information is “used” or “lost.” That’s the threshold.

The Court emphasized that words like “use” don’t necessarily carry their ordinary, common-sense or dictionary meaning. Instead, they take on the meaning given by the regulator, so long as that interpretation is reasonable.

I’ll be blunt: I don’t agree with this outcome. I understand why the Court deferred to the IPC, but I don’t agree with the IPC’s interpretation of those words. Encrypting a server at the container level is not, in any meaningful sense, a “use” of personal information. In any ordinary sense of the word, it was not “used”. Nobody viewed it, nobody copied it, and nobody exfiltrated it. The information was never actually touched. Ones and zeroes are moved around hard drives every minute of every day, and we don’t think of that as data being “used”.

And calling this a “loss”? At best, it was a temporary disruption. To me, that’s not what “loss” means. Putting it on a thumb drive and misplacing it would be a “loss”. If there was a temporary power cut to their data centre and the information was not accessible for an hour, we would not think that there’s any real unauthorized “loss” of the data. There was no risk of identity theft, no misuse, no real risk of harm to the individuals involved.

Here’s where I think the problem lies: Ontario’s PHIPA and the CYFSA don’t have a risk-based threshold. They require notification if there’s a “use” or a “loss,” regardless of whether there’s any actual risk to the individual. Compare that to the federal private sector law, PIPEDA. Under PIPEDA, an organization has to notify affected individuals and report to the federal Privacy Commissioner only if there’s been a “breach of security safeguards” that creates a “real risk of significant harm”.

That’s a sensible threshold. It filters out situations like this one, where the systems were disrupted but no one’s privacy was actually at risk. In my view, the PIPEDA standard is better. It focuses on the individual’s actual risk, rather than forcing organizations to notify just because a breach happened. Without a risk filter, you end up with over-notification, unnecessary costs, and notice fatigue, which ultimately makes people take these notices less seriously.

Because Ontario’s statutes don’t include a “real risk of significant harm” threshold, regulators like the IPC are free to take a very broad approach to words like “use” and “loss.” And courts, applying the deferential reasonableness standard, are not going to interfere.

So what does this mean for organizations in Ontario? It means that a word like “use” doesn’t always mean what you think it means. Regulators may adopt broader, purposive interpretations—especially in the context of cyberattacks. And courts, applying the reasonableness standard, will generally defer to those interpretations.

It also reinforces to me that privacy law is not really a practice area that one can just dabble in. Words in the statutes don’t necessarily mean what you’d think they mean. They have meanings given to them by the regulators, and the courts will generally defer to that interpretation.

The lesson is this: don’t rely on common-sense definitions of terms like “use,” “loss,” or “disclosure.” And don’t assume that the risk-based federal standard applies provincially. Look at how regulators are interpreting these terms in practice, because that’s what will stand up in court.

Recording conversations -- using AI gadgets and otherwise -- and the law in Canada

2025-09-14T19:52:00.003-03:00

One of the most common questions I get is about recording conversations. Can you do it? Is it legal? And maybe just as importantly … is it a good idea?

The answer is … complicated. And sometimes, even if it’s legal, it can be hostile or problematic.

A quick production note: I started a privacy law blog in 2004, and then started a YouTube channel at the end of 2021. In order to make this as accessible across multiple media, I’ve started a podcast that takes the audio and makes it available via Apple Podcasts, Spotify and the others. If you’d like privacy content while in the car or mowing the lawn, just look for “privacylawyer” in your favourite podcast app.

Now back to recording conversations and the law in Canada …

I’ll try to break it down.

Before we get into the traditional scenarios, let’s start with something very new: AI wearables.

You might have heard of something called the “Humane Pin”. The Humane AI Pin was a screenless, AI-powered wearable device designed by the American startup Humane. They somehow thought it could replace smartphones. After shipping in April 2024 to overwhelmingly negative reviews, Humane was acquired by HP, which discontinued the device's service in February 2025. Famously, Marques Brownlee - an incredibly influential YouTuber and product reviewer called it the worst product he’d reviewed. The Humane Pin flopped, but that wasn’t the end of “AI wearables.”

A more recent device is a thing called “Bee”. It’s a small wrist-worn gadget with microphones built in. The idea is kind of simple and a logical extension of a lot of what generative AI has to offer: You slap it on your wrist and it listens to what’s going on, it transcribes, and it helps you keep track of what’s said throughout your day. Think of it as a memory assistant. You can review conversations later, get reminders of “to-dos,” or even have it summarize meetings.

That sounds useful for productivity and accessibility. Imagine if English isn’t your first language, or if you’re hard of hearing, have a bad memory or if you simply want a perfect record of a complex meeting.

I’ve had relatives dealing with dementia, and something like this could be helpful, assistive technology when memories are fading and failing.

The catch is that they’re “always listening.” They’re not just catching your thoughts — they’re catching the people around you, likely without their knowledge. And that can raise privacy concerns.

Now, the law hasn’t changed because of gadgets like these. The same rules apply (which I’ll get into in greater detail): if you’re a party to the conversation, recording isn’t automatically illegal. But the scale and permanence are different. Instead of someone taking really detailed notes, now you have a verbatim transcript — stored in the cloud, maybe analyzed by AI, and potentially vulnerable to misuse or breach.

You may recall Google Glass, originally launched in 2014. It was pretty cool and likely ahead of its time. What caused privacy regulators heartburn was that it had an integrated camera. Though it was not recording all the time, the regulators really wanted it to have a red light on the front so that people around would at least be aware of whether it is recording. These new wearables are even less conspicuous and people whose voices can be captured likely have no knowledge that they’re being picked up.

Let’s dig into the law that applies to recording conversations in Canada, whether you do so on an old timey reel-to-reel recorder, your smartphone or an AI wearable. And these rules are the same whether you’re face-to-face, on a phone call or in a Teams meeting.

If we’re talking about conversations that begin and end in Canada, the first place to look is the Criminal Code of Canada. Part VI of the Code is actually titled “Invasion of Privacy,” and it makes it illegal to intercept a private communication unless you have authorization — like a warrant — or unless one of the legitimate parties to the conversation consents.

The Criminal Code makes it a hybrid offence (meaning that it can be prosecuted either as an indictable offence or a summary offence) to “knowingly intercept a private communication”. The maximum penalty is up to five years in prison. There’s a saving provision which says the offence does not apply to “a person who has the consent to intercept, express or implied, of the originator of the private communication or of the person intended by the originator thereof to receive it”.

This is often called “one-party consent.” In simple terms, if you’re part of the conversation, you can record it. But if you’re not part of the conversation, you can’t secretly bug the room, leave a phone recording on the table, and walk away. That would be illegal eavesdropping.

You’ll note that consent can be implied. I haven’t seen any cases on this point, but I’d think having a loud conversation in a public place within earshot of others may be “implied consent” for the conversation to be “intercepted.” But I would not want to be the test case.

While you might see CCTV surveillance cameras all over the place, they should NOT be recording audio. This would likely be illegal “interception of a private communication” and I don’t think signs like this one will get the requisite consent. Many consumer grade surveillance cameras that we’re now seeing all over the place also have a capability to record audio. If you’re using one of these cameras and they’re positioned where someone might be having a conversation, disable the audio collection.

So, if you’re a lawful participant in the conversation, the Criminal Code is not triggered. But if it’s someone else’s conversation, you can’t intercept it or record it.

But that’s not the end of the story. In Canada, we also have privacy laws: PIPEDA federally, plus provincial laws in Alberta, BC, and Quebec.

Here’s the key: these laws don’t apply to purely personal or domestic activities. So if you’re recording a conversation for your own memory, or for journalistic purposes, or to make a record of something for your own personal purposes, you’re not subject to PIPEDA when you’re doing that. The same applies for the provincial privacy laws of Alberta, BC and Quebec. Those laws generally apply to businesses and “organizations”.

But if you’re recording for commercial purposes — say, recording customer service calls — then privacy law kicks in. In those cases, you generally need to tell the person and get their consent. You’ll notice most companies start their customer service lines with: “This call may be recorded for quality assurance and record keeping purposes.” That’s why. The idea is that you’re on notice that it will be recorded and if you stay on the line, your consent to the recording is implied.

(Technically, the company has to list all the purposes for the recording and I think many are not doing a full job. For example, you can’t just say it’s for “quality assurance” purposes when you’re also keeping the recordings for record keeping purposes.)

And there’s more: even if a recording doesn’t violate the Criminal Code or privacy statutes, you may still face claims under provincial privacy torts, or common law actions for unreasonable invasion of privacy. This is a bit of a stretch for a conversation that the recorder is lawfully a part of, but I can certainly see a possible claim if the conversation was clearly of a private nature and the recording is made public.

Now let’s shift to the workplace. This is where the issue gets interesting — and frankly, tricky.

I was at a labour and employment law conference not long ago, and almost everyone in the room had a story about employees secretly recording conversations. Sometimes they recorded meetings with their supervisors, sometimes with colleagues. And in every anecdote I heard, it was a case where the other party to that conversation would not have agreed to the recording and people got really upset when the recording became known.

If the employee is a lawful party to the conversation, it’s not illegal under the Criminal Code. But does that make it okay? Not really.

Secretly recording a conversation is almost always seen as a hostile act. It signals distrust, it poisons the relationship, and it creates a “gotcha” culture.

Employers are within their rights to regulate this. I’ve heard of cases where an employee steps out of a meeting, but leaves their phone in the room, recording. The employee may be wondering if their colleagues talk about them when they’re not around. Well, that’s eavesdropping and a crime. If they secretly record meetings they’re attending, it may not be criminal — but it can still be problematic, and it may be against workplace policy. Employers should have policies about this.

Beyond ordinary workplaces, I’ve advised hospitals and health authorities about audio recording. Doctors and psychologists often feel uneasy when patients pull out a recorder. It can feel adversarial.

But sometimes recording is legitimate — even helpful. I remember when my father was diagnosed with cancer, my mother took detailed notes at every doctor’s appointment. There was so much information and all of it was overwhelming. If smartphones had been as common then as they are now, I would have suggested that she record these conversations, just to make sure she captured all the important information in such a stressful moment.

I’ve also spoken with psychologists where patients wanted to record therapy sessions. At first, practitioners felt uneasy. But when we explored it, recording actually improved therapy in some cases: patients could revisit the conversation, reinforce insights, and strengthen the therapeutic relationship. Once this was understood, the psychologists were concerned about whether the patients would adequately protect the recordings of these very sensitive conversations. Once the client walks about, that’s not really on the psychologist, but they can talk to their clients about this. I think in this scenario, it’s important for everyone to be on the same page.

So it’s not always hostile. Sometimes it’s accommodation. Sometimes it’s simply practical.

There’s also a new one that’s come up a lot recently: AI-enabled recording and transcription services that are built into or added onto video calls. You’ve probably seen them in Zoom or Microsoft Teams — a little box pops up saying “Recording and transcription is on.” I’ve seen people send their little ai companions to calls that they can’t attend personally.

These tools can be fantastic. They create a really good record of meetings, which can help with minutes, accountability, or accessibility — for example, if someone in the meeting is hard of hearing, or if English isn’t their first language. I’ve used automatic captions in a number of cases because it can be very helpful, and this is enabled by AI “interception.” Automatic transcription can also let people go back and confirm exactly what was said.

But they can also make people nervous. Suddenly, everything you say in a meeting is not just heard in the moment — it’s captured, stored, maybe even analyzed. That can change the vibe and how people participate.

It also creates a very detailed record that can be subject to discovery in litigation, which is its own risk.

From a legal standpoint, the rules haven’t really changed. If you’re part of the conversation, recording or transcribing isn’t illegal. In many ways, it’s not that different from someone taking very detailed and accurate notes. The real difference is scale and permanence: instead of one person’s notes, it’s a verbatim transcript that might live on a server indefinitely. It also creates a reliable record that is likely more credible in a hearing or a trial than any one person’s recollection or notes may be.

I think it’s a best practice for organizations to have a clear policy about the use of these tools. Decide when it’s appropriate, make sure everyone in the meeting knows what’s happening, and have rules around how those recordings and transcripts will be used, stored, and eventually deleted. I’m on the board of one volunteer organization, and it was decided that recording and AI transcription could be used but only to help the meeting’s secretary prepare the final minutes. Once the minutes were final, the recording and the transcript were deleted. The minutes are the official record.

And be careful about confidentiality. You may be fine with recording most of a meeting, but want to turn it off during any “in camera” period. And you’ll want to make sure that the recordings are securely stored in accord with the company’s records keeping policies.

Before I wrap up, I’ll mention two additional scenarios that are related to the legal system itself. First, under the rules of professional conduct for lawyers in Canada, there are requirements for a lawyer to notify a client or another legal practitioner of their intent to record a conversation. Rule 7.2-3 from the Law Society of Ontario Rules of Professional Conduct says

“A lawyer shall not use any device to record a conversation between the lawyer and a client or another legal practitioner, even if lawful, without first informing the other person of the intention to do so.”

So this requires notice, not consent. Essentially, you can’t do it secretly.

The second scenario related to the legal system is court hearings. As a general rule, you cannot record a court hearing without the permission of the presiding judge. I’ve been at hearings where reporters present are allowed to record, but the recordings can only be used to check the accuracy of their notes, and the recordings cannot be further disseminated or broadcast.

Privacylawyer content now available as a podcast

2025-09-08T08:30:00.001-03:00

I'm a longtime podcast listener and I watch a lot of YouTube. For some time, I've wanted to be sure that anyone who may be interested in my original content can get it wherever they want it. (That's one reason why I generally post the text of my YouTube videos here on the blog. Some people like to read words rather than watch a talking head.

From now on, my YouTube content will also be available as a podcast so you can just subscribe in your podcast app of choice.

The standalone page for the podcast can be found here: Privacylawyer - Canadian privacy and technology law with David Fraser.

Ontario privacy finding: Hidden biometrics in on-campus vending machines

2025-09-08T08:24:00.000-03:00

On August 27, 2025, the Information and Privacy Commissioner of Ontario released a revised finding against the University of Waterloo. The initial report was issued in June this year and I should have done an episode on it then. The case involved what looked like a pretty ordinary thing on campus — vending machines. Except these weren’t just any vending machines. They were “intelligent vending machines,” installed by a third-party service provider, and they secretly used biometric face detection technology.

That sounds creepy and the University was found to have violated Ontario’s public sector privacy law. It’s not as cut and dried, but there are some interesting takeaways from that decision.

Nobody on campus was aware that these vending machines use face detection technology until one of the machines malfunctioned and flashed an error message on its screen — basically outing itself as running “FacialRecognition.App.exe.” Understandably, students complained. It got a lot of media coverage and some buzz on Reddit.

The Information and Privacy Commissioner of Ontario investigated.

At the outset, the University of Waterloo challenged whether the Commissioner even had jurisdiction here. The University argued that this wasn’t really about Ontario’s Freedom of Information and Protection of Privacy Act — instead, they said it was governed by the federal Personal Information Protection and Electronic Documents Act or PIPEDA. Their reasoning? Selling snacks through vending machines is a commercial activity. And PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity. And that meant the federal law applied, not the provincial law.

They also argued that if the vending machines didn’t actually capture personal information — as the manufacturer claimed — then there was nothing for the Commissioner to investigate. And finally, Waterloo tried to limit its responsibility by pointing out that it never contracted for biometric collection in the first place. In their view, if the vendor went off and deployed face detection technology, that wasn’t for them, they didn’t ask for it and they should not be on the hook for it.

The Commissioner rejected all of those jurisdictional arguments. The decision emphasized that under FIPPA, Ontario institutions like universities are responsible for personal information collected by vendors operating on their behalf — even when those vendors are engaged in activities with a commercial character. The Commissioner leaned on the “double aspect” doctrine in our constitutional jurisprudence: both federal and provincial laws can apply at the same time. In other words, even if PIPEDA could cover some of the activity, that doesn’t oust FIPPA.

So the bottom line on the jurisdiction question was that the University of Waterloo couldn’t escape the Commissioner’s oversight just by pointing to federal law or saying “we didn’t know.” Once personal information was being collected on its campus by machines it authorized, the University was on the hook under FIPPA

On the merits, the Commissioner concluded that the machines were capturing facial images, even if only for milliseconds. Not surprisingly, these facial images qualify as “personal information” under Ontario’s Freedom of Information and Protection of Privacy Act (FIPPA).

The collection wasn’t authorized by law, wasn’t necessary for selling chips and chocolate bars, and no notice was given.

Therefore, in the IPC’s view, Waterloo had violated FIPPA.

In order to find Waterloo at fault, or in violation of FIPPA, the IPC asks and answers three questions:

The IPC asked: “Did Waterloo “collect” personal information?” The Commissioner said yes. Even though the vendor claimed the system only processed images in real time, the machines captured full facial images in memory to estimate age and gender. That’s enough to count as a collection of personal information.

But really? Was it really Waterloo who “collected” personal information? Legally, yes. They had a vendor who was supplying goods and services on their behalf and the University is responsible for that.

Then the IPC asked: “Was the collection compliant with FIPPA?” No. Section 38(2) of FIPPA says you can only collect personal information if it’s expressly authorized, needed for law enforcement, or necessary to carry out a lawful activity. Selling snacks doesn’t need biometric data. It might be “helpful” for marketing — but helpful isn’t the same as “necessary.” And also, no notice was given that personal information was being collected and why.

Finally, the IPC asked: “Did Waterloo have reasonable measures to protect personal information?” The Commissioner said they had decent contract clauses, but they fell down in procurement. They didn’t do the privacy risk assessment that could have flagged the biometric capability. That failure meant they didn’t exercise enough due diligence, and so they’re responsible.

Here’s where I think the finding is problematic. Waterloo had no knowledge of the biometric functionality. They weren’t using it, they didn’t ask for it, and their contract didn’t mention it. The vendor who responded to the RFP for vending machines apparently wasn’t aware of this functionality in some of the machines they provided. That other supplier embedded this capability, and at the time nobody was aware of it.

Due diligence usually asks the question with reference to what a reasonably prudent person would have done in the same circumstances. Without the benefit of hindsight, I think the University met that standard. But they could have done better, so the University is still on the hook for a privacy violation. It seems to be holding them to a higher standard, based on what we know now.

It could have been enough to just give them a gentle slap upside the head, saying it’s 2025 and we need to assume that anything that uses electricity – and particularly if it’s a “connected device” – has the potential to collect personal information. You need to check. Even vending machines.

Think about what this means in practice:

Does every university, hospital, or government office now need to disassemble or reverse-engineer every piece of technology it procures? Almost.

Do they need to anticipate hidden biometric features in a vending machine?

Or test for surveillance capabilities in every piece of software?

That’s a pretty heavy burden — one that goes far beyond what most organizations reasonably do. I guess the standard for reasonable diligence has to be raised.

Yes, we want institutions to take privacy seriously. Yes, procurement processes should involve risk assessments. But here, it feels like the University is being faulted for not uncovering something that was essentially hidden. I’m not sure we can fault them for not asking at the time whether a vending machine used biometrics. We know now, but I don’t think they should be expected to have known to ask back then.

While the vendor was not in the cross-hairs of the IPC’s investigation, vendors need to be mindful. If you build a product with biometric capabilities, you should have to disclose it — clearly and up front. If it’s an “internet of things” connected thing, it should be clearly identified as such. There probably is a boilerplate term in contracts that put the vendor on the hook if they cause the customer to violate any applicable law.

In the end, a finding of having violated FIPPA isn’t like a criminal charge. The IPC issued two recommendations, which the university agreed to implement. First was to review their policies to make sure that future collection of personal information complies with FIPPA. Second was to implement practices to carry out necessary due diligence to identify, assess and mitigate any potential risks to personal information throughout the entire procurement process, including during the planning, tendering, vendor selection, agreement management and termination phases.

There’s a lesson here for everyone: I guess it’s time to update all your procurement and vendor documentation to ask about any connected or biometric features. Ask detailed questions about every bit of gear being installed and fully understand their capabilities. And I’d include reps and warranties in my contacts allowing for the termination of agreements if there has been any misrepresentation about the possible collection of personal information.

One thing also to note is I think this would have gone differently for the university if the vendor wasn’t the university’s service provider. As I mentioned before, the university is on the hook for all personal information collected by their service providers, whether they wanted the information collected in the first place. But if the university had structured the arrangement differently, they likely would have avoided that direct responsibility. For example, if the agreement was more like the bare rental of space for the placement of vending machines on campus, the element of custody or control of the data likely would not have been there. Imagine the university enters into a lease with Starbucks to put a coffee shop in the library atrium. In such a scenario, you wouldn’t really see the University as being responsible for Starbucks’ collection of personal information as part of the Starbucks Rewards loyalty program. Or maybe the privacy commissioner would take a different view? I kind of hope not.

In any event, there are more than a few lessons to learn from this finding.

Bill C-2 "Strong Borders Act" - Supporting Authorized Access to Information Act (Part 15)

2025-07-16T10:42:00.001-03:00

On June 3, the new Canadian government tabled Bill C-2 in Parliament, called “An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures” but with a short title of the “Strong Borders Act”.

Once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. I’m really getting tired of these sorts of bills. (See Canadian Privacy Law Blog: Past Canadian "lawful access" attempts, both by Liberal and Conservative governments.)

In my last episode, I discussed Part 14 of the Bill, which creates new law enforcement authorities to get customer information, either without a warrant or court order, or with an order but based on a very low standard. In this episode, I’ll go over Part 15, which creates a standalone “Supporting Authorized Access to Information Act”. The government says this is simply to make sure that electronic service providers have the capacity and capability to “share information” with “authorized persons”.

I think it goes beyond this. It is similar to Bill C-26 from the last Parliament, as it allows the government to dictate what technologies electronic service providers use. This time is to create the capability for law enforcement to plug into service providers’ systems.

Throughout this discussion, I can’t help but be reminded that the US has had something similar in their laws, and the mandated intercept capabilities were used by Chinese hackers to get access to data.

The "Salt Typhoon" hacking incident, attributed to a Chinese state-sponsored advanced persistent threat (APT) actor, came to light in late 2024 with revelations that the group had extensively compromised the computer systems of multiple major U.S. telecommunications companies. The stolen information included call and text message metadata, and in some high-profile instances, even audio recordings of phone calls belonging to government officials and political figures.

A critical factor facilitating the Salt Typhoon incident was the very infrastructure put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, CALEA mandates that telecommunications providers build "lawful intercept" capabilities into their networks to allow law enforcement and intelligence agencies to conduct court-authorized wiretaps. While intended for legitimate surveillance, these mandated "backdoors" created inherent vulnerabilities within the telecom networks. Salt Typhoon exploited these CALEA-mandated systems, effectively turning the tools designed for lawful access into pathways for unauthorized espionage.

This is what’s coming to Canada …

The Supporting Authorized Access to Information Act creates a framework in which the Government of Canada can require electronic service providers to facilitate law enforcement and intelligence services’ access to data and information. Much of its scope is left to regulations. The sweep of what entities can be in scope of the Bill if very broad by regulating “electronic service providers”:

electronic service provider means a person that, individually or as part of a group, provides an electronic service, including for the purpose of enabling communications, and that

(a) provides the service to persons in Canada; or

(b) carries on all or part of its business activities in Canada.‍ (fournisseur de services électroniques)

electronic service means a service, or a feature of a service, that involves the creation, recording, storage, processing, transmission, reception, emission or making available of information in electronic, digital or any other intangible form by an electronic, digital, magnetic, optical, biometric, acoustic or other technological means, or a combination of any such means.‍ (service électronique)

This is extremely broad, and would likely capture almost all communications services that provide any service to Canadians. It likely covers VPN – or virtual private network – providers as they provide a service that involves the transmission of information. This would also scope in text messages, emails, phone calls, voice over IP calls and video calls.

The Act specifically will target “core providers”, who are “electronic service provider[s] belonging to a class of electronic service providers set out in the schedule.” In the version of the Bill tabled at first reading, the schedule is blank. I guess “to be determined”, but I expect it’ll be all the major telcos and internet service providers in Canada. It may include the significant messaging providers, like Apple, WhatsApp, Microsoft Teams, Zoom and email providers like Microsoft, Apple, Google.

It is very, very broad in its possible scope.

Ministerial regulations for “core providers”

The Act, in s. 5(2), empowers the government to create regulations placing obligations on core providers which relate to intercept and access capabilities and includes the installation of devices, etc. on behalf of “authorized persons”.

(a) the development, implementation, assessment, testing and maintenance of operational and technical capabilities, including capabilities related to extracting and organizing information that is authorized to be accessed and to providing access to such information to authorized persons;

(b) the installation, use, operation, management, assessment, testing and maintenance of any device, equipment or other thing that may enable an authorized person to access information; and

(c) notices to be given to the Minister or other persons, including with respect to any capability referred to in paragraph (a) and any device, equipment or other thing referred to in paragraph (b).

Importantly, a core provider is not required to comply with a regulation “if compliance with that provision would require the provider to introduce a systemic vulnerability in electronic protections (defined as ‘authentication, encryption and any other prescribed type of data protection’) related to that service or prevent the provider from rectifying such a vulnerability.” This would permit a regulated core provider to refuse to install a backdoor or compromise encryption if that would create a systemic vulnerability.

Core providers can apply for an exemption for a specified period of time, in order to have time to come into compliance.

Orders directed to specific electronic service providers

Per s. 7, the Minister is able to issue orders to any electronic service provider, regardless of whether they are a core provider, along the lines of regulations authorized under s. 5(2) for a specified period of time. In making the order, the Minister must consider:

(a) the benefits of the order to the administration of justice, in particular to investigations under the Criminal Code, and to the performance of duties and functions under the Canadian Security Intelligence Service Act;

(b) whether complying with the order would be feasible for the electronic service provider;

(d) the potential impact of the order on the persons to whom the electronic service provider provides services; and

(e) any other factor that the Minister considers relevant.

The Minister, in their discretion, may provide compensation to offset some of the costs incurred in paragraph (c). Similar to compliance with regulations, an electronic service provider is not required to comply with a portion of an order that would “require the provider to introduce a systemic vulnerability in electronic protections related to that service or prevent the provider from rectifying such a vulnerability.”

The Minister is required to permit affected electronic service providers to make representations prior to issuing an order under s. 7.

Obligations to assist

The Act contains a very broad and problematic obligation on all electronic service providers to provide all reasonable assistance to a range of persons to “permit the assessment or testing of any device, equipment or other thing that may enable an authorized person to access information.” The list of persons authorized to make this demand include the Minister, CSIS employees, police officers and civilian employees of a police force.

There is no threshold and no limitation on this power. For example, there is no requirement for approval from the Minister or any other senior person. It does not have to be reasonably necessary for any purpose related to the Act. You could have a lineup of people from every municipal police department out the door of an electronic service provider, the they have to provide this unlimited and unbounded assistance.

Prohibitions on disclosure

The Act contains, at s. 15, very broad prohibitions on disclosure by electronic service providers, including whether one is subject to an order, the contents of an order, information relied upon by the Minister in making an order, representations made by the electronic service provider or the Minister, the fact that representations were made. This is ridiculous. It may make sense to give the Minister the power to issue gag orders from time to time, where they are of the view that disclosure of the information would compromise law enforcement or national security.

In this country secrecy should be the exception – and should have to be justified – not the default, particularly with respect to services we use every day and our civil liberties. This is so prone to overreach and possible abuse, and all of it takes place in the shadows.

It is very problematic that an electronic service provider is prohibited from disclosing “information related to a systemic vulnerability or potential systemic vulnerability in electronic protections employed by that electronic service provider”. This would mean that if any electronic service provider were to discover a vulnerability in their system, it would be prohibited by Canadian law from disclosing it to anyone. This may include a prohibition on disclosure to customers who may have been affected by a past or current vulnerability, or even that company’s own contractors who carry out security audits on its systems. For example, if a telco discovers a vulnerability in a router, they will tell the manufacturer of the router and various organizations that work diligently to make sure that the entire cybersecurity community can identify and fix vulnerabilities.

If a telco finds a vulnerability in a system used by all Canadian telcos (because the government will get to dictate what systems telcos use), they can’t alert the other telcos about that vulnerability.

Paragraph (g) is actively harmful to Canadians, and will be a huge boon for the bad guys who look for and exploit these vulnerabilities. It really, really has to go.

The parameters of these prohibitions on disclosure can be subject to regulations made pursuant to s. 17 of the Act.

Under s. 16, if an electronic service provider is to seek an application for judicial review of any order or decision under the Act, it is prohibited from doing so unless it gives fifteen days’ advance written notice to the Minister, along with a copy of the notice of application.

Under s. 17, the Government can make regulations respecting confidentiality and security requirements for electronic service providers and persons acting on their behalf must comply. Specifically, it authorizes regulations:

(a) respecting the disclosure of information referred to in section 15;

(b) establishing rules of procedure for the protection of information referred to in section 15 in administrative or judicial proceedings;

(c) respecting requirements related to employees of electronic service providers and other persons whose services may be engaged by electronic service providers, including with respect to their security clearance and location; and

(d) respecting security requirements with respect to the facilities and premises of electronic service providers.

This is extremely broad, and is not limited to confidentiality and security measures that are reasonably required related to the purposes of the Act. Remember, “electronic service provider” is broad enough to include service providers completely and entirely outside of Canada.

It potentially includes requirements for all of an ESP’s facilities regardless of location, and paragraph (c) even permits regulations regarding where facilities can be located, and security clearances for employees.

This is clear overreach. None of it is limited to protecting the security of the lawful intercept and information gathering capabilities dictated by the Act.

Enforcement and administration

The Act gives the Minister authority to designate persons (or classes of persons) to administer and enforce the Act. These designated persons are given vast powers under s. 19 to enter any place (other than a dwelling) to verify compliance or to prevent non-compliance with the Act. Within such a place, they are authorized to:

(a) examine anything found in the place, including any document or electronic data;

(b) make copies of any document or electronic data that is found in the place or take extracts from the document or electronic data;

(d) use or cause to be used any computer or data processing system at the place to examine or copy electronic data; and

(e) use or cause to be used any copying equipment at the place to make copies of any document.

The Act places an obligation on every owner of a place, a person in charge of the place and everyone in the place to give all assistance that is “reasonably required” by the designated person, including providing any document or electronic data “they may reasonably require”. In addition, in 19(6), a designated person can bring anyone with them to assist.

This is not specifically limited to places in Canada, but likely cannot be enforced outside of Canada. Again, this is completely without limits. The designated person can say “I want your entire customer database” and the ESP ostensibly needs to comply. Even more, it would be illegal for an employee there to not assist with this outrageous demand.

Audit orders

Under s. 21, a designated person can order an electronic service provider to conduct an internal audit “of its practices, documents and electronic data to determine whether it is in compliance with any provision of this Act or the regulations.” A copy of the audit must be provided to the designated person, and if the audit uncovers any non-compliance, it must specify the non-compliance and measures taken or to be taken to comply with the relevant provision or order.

Orders by designated persons

The Act, at s. 23, gives the designated persons order-making powers. If they believe “on reasonable grounds that there is or is likely to be a contravention of the Act or regulations, they can issue a written, mandatory order requiring an electronic service provider to:

(a) stop doing something that is or is likely to be in contravention of that provision or cause it to be stopped; or

(b) take any measure that is necessary to comply with the requirements of that provision or mitigate the effects of non-compliance.

These orders are subject to review by the Minister, on request of the electronic service provider. Unless otherwise ordered by the Minister, the order issued by the designated person must be complied with.

Administrative monetary penalties and offences

The Act, at s. 27 et seq, provides for a full administrative monetary penalty (AMP) regime that is intended to “promote compliance with this Act and not to punish”, along with penal offences at s. 40 et seq.

If a contravention results in an AMP, the penalty can be up to CAD $250,000, and if a violation continues more than one day, each day constitutes an additional violation. The due diligence defence is available, as are common law defences.

The Act provides for liability by corporate “directors, officers or agents or mandataries who directed, authorized, assented to, acquiesced in or participated in the commission of the violation”. A notice of violation will set out the amount of the AMP, which can be simply paid, which amounts to an admission of the violation. Alternatively, the alleged violator can enter into a compliance agreement with the Minister or request a review by the Minister of the acts or omissions that constitute the alleged violation, or the amount of the penalty.

In a review by the Minister for a violation, the evidentiary standard is balance of probabilities and there is no prescribed appeal from the Minister’s decision. Judicial review would likely be available in the Federal Court of Canada.

Violations can also be penal offences, which are summary conviction offences with a maximum fine of $500,000. If a violation continues more than one day, each day constitutes an additional violation. As with AMPs, due diligence is a defence and officers/directors can also be convicted if they “directed, authorized, assented to, acquiesced in or participated in the commission of the offence”. It is also an offence to obstruct or make a false or misleading statement to (a) a person authorized to assess or test any device, equipment or other thing, or (b) a designated enforcement person.

In a nutshell, this part of Bill C-2 has enormous impacts on electronic service providers – globally – and represents a huge overreach with enormous power and discretion given to the Minister and “designated persons”. It has the potential to introduce significant vulnerabilities into the systems we use every day for our most private communications and also may completely upend the practice of information sharing that is the foundation for keeping the internet safe and secure.

This “Supporting Authorized Access to Information Act” should be taken out of Bill C-2 so it can get the attention, discussion and scrutiny it deserves. I am really, really afraid that it’ll be jammed through Parliament under the guise of strengthening our border to appease the current US government. And we know that once governments get powers, they never surrender them.

Bill C-2 "Strong Borders Act" - New demands and orders for customer information (Part 14)

2025-07-16T10:13:00.001-03:00

As the name implies, it’s mostly about border measures, customs stuff, fentanyl and immigration. But once again, following in the footsteps of past conservative and liberal governments, it contains a trojan horse that revives what has come to be known as “Lawful Access”. The Bill contains a number of search, seizure and surveillance measures that have nothing to do with the border or fentanyl. In the past, governments have tried to introduce similar measures under the guise of fighting terrorism, child abusers and cyberbullies. Now it’s apparently border security.

I’m really getting tired of these sorts of bills and for a brief moment, I was hopeful that this new government would take a different route. Apparently not. I am completely confident that the lawful access provisions of his bill have been sitting in a drawer at the Department of Public Safety, desperately waiting for an opportunity to put it in a slightly relevant bill. Sigh.

For now, I’m going to focus on Part 14 of Bill C-2 which amends the Criminal Code in a bunch of ways. Part 15 creates a whole new law called the “Supporting Authorized Access to Information Act”, which I’ll have to cover in another episode.

Part 14 creates a new police order or “information demand”, without judicial oversight or control, to require service providers to hand over basic information about customers. It dramatically truncates the response time for production orders and unrealistically gives service providers only five days to challenge a production order. It amends the law to clarify that cops can just ask for information and service providers can just hand it over. It may also permit the cops to use illegally hacked and leaked data in their investigations.

It creates a new production order for subscriber information that police can get with only “reasonable grounds to suspect” an offence has taken place, not the usual “usual grounds to believe” an offence has taken place. And it’s broader than most general production orders I’ve seen for “basic subscriber information”.

The Bill creates a puzzling new warrant that allows a judge to authorize a peace officer or public officer to obtain tracking data or transmission data that relates to any thing that is similar to a thing in relation to which data is authorized to be obtained under the warrant and that is unknown at the time the warrant is issued. So if the cops get a warrant to track a certain thing, and then discover it's related to another thing that can also track the person, they can get data from the second thing. Hmm.

Finally, Part 14 includes a weird judicial authorization to make a request for data from a foreign entity.

The new “information demands”.

This new section 487.0121 of the Criminal Code authorizes a “peace officer or public officer”, without judicial authorization, to make a demand of any person who “provides service to the public” requiring them to provide any of the following information in this list.

Information demand

487.‍0121 (1) A peace officer or public officer may make a demand in Form 5.‍0011 to a person who provides services to the public requiring the person to provide, in the form, manner and time specified in the demand, the following information:

(a) whether the person provides or has provided services to any subscriber or client, or to any account or identifier, specified in the form;

(b) if the person provides or has provided services to that subscriber, client, account or identifier,

(i) whether the person possesses or controls any information, including transmission data, in relation to that subscriber, client, account or identifier,

(ii) in the case of services provided in Canada, the province and municipality in which they are or were provided, and

(iii) in the case of services provided outside Canada, the country and municipality in which they are or were provided;

(c) if the person provides services to that subscriber, client, account or identifier, the date on which the person began providing the services;

(d) if the person provided services to that subscriber, client, account or identifier but no longer does so, the period during which the person provided the services;

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

(f) if the person is unable to provide any information referred to in paragraphs (a) to (e), a statement to that effect.

Paragraphs (a) and (b) are clearly intended to deal with the situation where the police have a phone number, and want to go to Rogers or Bell and ask “is this number serviced by you”? And if so, where is the service provided and whether they have customer records. That tells them enough information to refer the case to the local police where the customer is. Regularly, the RCMP in Ottawa receive information from a foreign police agency that’s just associated with an IP address. They may know it’s a Rogers IP address, but they don’t know where the potential suspect is. Now Rogers will have to tell them, without a warrant or court order, “yes, that’s our customer and they live in Montreal.” No directly identifying information is supposed to be shared.

I don’t have a big problem with this. I am concerned about paragraph (e), however.

(e) the name or identifier, if known, of any other person who provides services to the public and who provides or has provided services to that subscriber, client, account or identifier and any other information, if known, referred to in any of paragraphs (b) to (d) in relation to that other person and that subscriber, client, account or identifier; and

So if the service provider knows that the customer in question gets services from anyone else, that also has to be disclosed. So if the Eastlink customer has a Hotmail address on file, I think they have to disclose that the person is also a Microsoft customer. What could be more problematic is if a company that supports OAuth logins (like using your Microsoft account to log into other services), this may require disclosing where those logins take place.

The threshold for making such a demand is that they have “reasonable grounds to suspect” (a very low threshold) that (a) an offence has been or will be committed under any Act of Parliament and (b) the information demanded will assist with the investigation of the offence. The peace officer or public officer can impose a non-disclosure order.

The person receiving the order has only 5 days to seek to have the demand varied or revoked, and has to give notice to the peace officer or public officer of its intent to have the demand varied or revoked. Five days is not much, in my view. The threshold for varying or revoking a demand is if “(a) it is unreasonable in the circumstances to require the applicant to provide the information; or (b) provision of the information would disclose information that is privileged or otherwise protected from disclosure by law.” Demands like these seem unlikely to disclose privileged information.

The next significant thing in Part 14 of Bill C-2 is a “production order for subscriber information”. Unlike in previous “lawful access” attempts, this does require judicial authorization, but the threshold is very, very low. It’s just above the police having a “hunch”.

We have a new section 487.0142, which creates a new production order for subscriber information with a very low threshold of simply “reasonable grounds to suspect” that (a) an offence has been or will be committed under the Criminal Code or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

487.0142 (1) On ex parte application made by a peace officer or public officer, a justice or judge may order a person who provides services to the public to prepare and produce a document containing all the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

Unlike a General Production Order, this order requires the production of “all the subscriber information” in the recipient’s possession. The General Production Orders that I see on a regular basis name the specific data being sought. These orders are for “all subscriber information”, which is broadly defined:

subscriber information means, in relation to any client of a person who provides services to the public or any subscriber to the services of such a person,

(a) information that the subscriber or client provided to the person in order to receive the services, including their name, pseudonym, address, telephone number and email address;

(b) identifiers assigned to the subscriber or client by the person, including account numbers; and

(i) the types of services provided,

(ii) the period during which the services were provided, and

(iii) information that identifies the devices, equipment or things used by the subscriber or client in relation to the services. (renseignements relatifs à l’abonné)

Look at (a): it likely also includes billing information. If it’s a paid service, like a cell phone, bank account or credit card information would have been provided when the account was set up. I do not regularly see this in general production orders for subscriber information.

It is worth pointing out that these orders can be obtained to investigate any “offence” in any Act of Parliament. This is not limited to the Criminal Code or the Controlled Drugs and Substances Act or the Customs Act. This includes the Canada National Parks Act.

And I really must emphasise that “reasonable grounds to suspect” is a very low threshold. It is the lowest in our legal system, since our system doesn’t recognize “hunches” or “spidey senses”.

This is in direct response to the Supreme Court of Canada’s decision in R. v. Spencer where the court said that the police can’t just ask for subscriber information, but it must be on the basis of exigent circumstances or in accord with a “reasonable law”. The government clearly thinks this is a “reasonable law” that gets them there.

Next up are Applications for requests of transmission data or subscriber information from a foreign entity.

The new s. 487.0181 is a bit unusual, as it creates a power to authorize a “request” (not an order) directed at a “foreign entity that provides telecommunications service to the public.” The request is approved by a judge on an application by a peace officer or a public officer.

487.‍0181 (1) On ex parte application made by a peace officer or public officer, a justice or judge may authorize a peace officer or public officer to make a request to a foreign entity that provides telecommunications services to the public to prepare and produce a document containing transmission data or subscriber information that is in the foreign entity’s possession or control when it receives the request.

The request is limited to transmission data or subscriber information.

The threshold for issuing such a request is again “reasonable grounds to suspect that (a) an offence has been or will be committed under this or any other Act of Parliament; and (b) the transmission data or the subscriber information is in the foreign entity’s possession or control and will assist in the investigation of the offence.”

It is really weird. So the police go to a judge to get an authorization to make a non-compulsory request to a foreign entity. Essentially all this does is make sure that the cop swears in front of a judge that they have reasonable grounds to suspect, and the judge concurs with this. But it’s not compulsory.

I expect that this is in response to the controversy surrounding the Breknell case from British Columbia that questioned whether production orders can be issued naming entities physically outside of Canada.

This may also be intended to take account of arrangements like a CLOUD Act agreement, contemplating the inclusion of information that may be necessary under the laws of a foreign state:

Form

(4) The production request is to be in Form 5.00803 and may include any information that is required by the foreign entity, by the foreign state in which the foreign entity is located or under an international agreement or arrangement to which Canada and the foreign state are parties.

Again, these are not court orders, but are issued like a court order. What the cop sends to the foreign service provider is the request, and a copy of the authorization.

I think this will cause a lot of confusion. A large number of non-Canadian service providers will respond to general production orders, particularly where the investigation relates to a person they identify as being in Canada. For some such entities, their privacy policies say they’ll only disclose information where “required by law”, and if they are following PIPEDA with respect to Canadian customer data – as they should – “required by law” is one of the exceptions that allows a disclosure to police. These requests don’t trigger the “required by law” exception in our privacy law. Also, some US service providers require that the thresholds largely align with the American “probable cause” standard. Reasonable grounds to suspect does not meet that threshold.

So cops may think they just have to send a request and the foreign service provider may say that’s not sufficient, we want a production order. So back to the judge.

I note these can be combined with an order of non-disclosure, which is binding at least under Canadian law. Whether it can really bind a foreign company is not clear.

What’s also puzzling is that officials from the government, during the technical briefing on the Bill, said none of our “five eyes partners” (meaning the US, UK, Australia and New Zealand) require an order for police to get subscriber information. That’s not my experience.

Now onto “exigent circumstances”...

Clause 167 of the Bill codifies what I understand to be the common law related to “exigent circumstances.” Just so we’re on the same page: “Exigent circumstances” exist where (a) there is imminent threat to the public or public safety; or (b) a risk of loss or destruction of evidence.”

The Code has generally permitted peace officers to search and seize in “exigent circumstances” if the conditions for obtaining a warrant exist, but exigent circumstances mean it would be impracticable to obtain a warrant. The provision, s. 487.11 of the Code, is being replaced to scope in powers that are available under certain production orders. The underlined portions are what have been added to the existing s. 487.11.

Essentially, this means that a peace officer or public officer may make a demand that has the force of law without a court order where exigent circumstances make seeking the order impracticable.

It is unclear to me whether a demand under (b) would have the same force and effect as a production order for the same data, and whether non-compliance could result in the same penalties.

Bill C-2 amends section 487.0193 to dramatically and problematically truncate the window of time to commence a review to revoke or vary a production order issued under sections 487.014 to 487.018 of the Criminal Code. The new timeframe is FIVE DAYS after the date of the Order. It was previously prior to the deadline referred to in the order, which is generally 30 days.

This is unworkable in my view. I regularly see production orders that were delivered to the service provider days after they were issued. I sometimes interact with cops who already have an order and want to know where to send it. After this amendment, the clock is ticking rather loudly. If a cop gets an order on a Thursday before a long weekend, delivers it on a Friday, it may not come to anyone’s attention until Tuesday. And making a decision to challenge a production order isn’t usually made by the person in corporate security who first review it. It’ll have to go up a chain of command. By the time a decision-maker gets their eyes on it, the window will have closed. And they can’t even make an application unless they get ahold of the cop to tell them that it will be challenged.

In my experience, this will be completely unworkable for most service providers.

For some time, s. 487.0195 of the Code has contained provisions that say a police officer can always ask for information that would otherwise be subject to a production order, and to obtain that information where the person is not prohibited by law from disclosing. Clause 164 Bill C-2 amends this section to add subsections that clarify that this includes data that could be the subject of an information demand under the new section 487.0121.

The section appears intended to provide immunity to a service provider who voluntarily provides information that would otherwise be subject to a production order. So a cop asks a bank or a telco to “voluntarily” provide customer data, and the bank or telco says “sorry, we can’t because privacy laws prohibit it and we’ve agreed with our customers that we’ll only provide data where required by law.” The cop can point to this section and say “so what? They can’t successfully sue you and you have no civil or criminal liability for providing the data”. I’d respond saying that our privacy laws are not about criminal or civil liability, come back with a warrant.

And paragraph (4) says that cops can always use information that is “available to the public.” I’ve heard some raise concerns that this would include data that is publicly leaked via hacking or other nefarious means. So they can go trolling through the Ashley Madison leaks, I guess.

I’ll have to save the deeply Supporting Authorized Access to Information Act for another episode, so stay tuned for that.

Overall, I really hope that the government gets a lot of shaming for putting this trojan horse in the border bill. These expanded law enforcement powers are consequential and deserve to be appropriately discussed and debated. I think that’s why the government decided to go this route, to avoid the huge outcry we’ve seen in the past related to prior lawful access attempts.

Discussion with Michael Geist about the part of Bill C-2 that is not getting enough attention

2025-06-30T16:59:00.002-03:00

Past Canadian "lawful access" attempts, both by Liberal and Conservative governments

2025-06-26T16:58:00.004-03:00

2005 (Lib - Paul Martin - Minister Anne Maclellan) - C-74 (38-1) - LEGISinfo - Parliament of Canada - Short title: Modernization of Investigative Techniques Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-74

2009 (Con - Stephen Harper - Minister Peter Van Loan) - C-47 (40-2) - LEGISinfo - Parliament of Canada - Short title: Technical Assistance for Law Enforcement in the 21st Century Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-47

2011 (Con - Stephen Harper / Minister Vic Toews) - C-52 (40-3) - LEGISinfo - Parliament of Canada - Short title: Investigating and Preventing Criminal Electronic Communications Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-52

2012 (Con - Stephen Harper / Minister Vic Toews) - C-30 (41-1) - LEGISinfo - Parliament of Canada - Short title: Protecting Children from Internet Predators Act (Did not pass)

Library of Parliament Legislative Summary for Bill C-30

2013 (Con - Stephen Harper / Minister Peter MacKay) C-13 (41-2) - LEGISinfo - Parliament of Canada - Short title: Protecting Canadians from Online Crime Act (Passed)

Library of Parliament Legislative Summary for Bill C-13

Materially misleading statements in the Charter Statement for Bill C-2's Lawful Access provisions

2025-06-23T15:35:00.007-03:00

The government of Canada – specifically the Minister of Justice – just released its “Charter Statement” regarding Bill C-2, the Strong Borders Act. I’m particularly focused on the “lawful access” provisions in the Bill, and I read it with interest to see how the government thinks the expanded government access to data is compatible with Section 8 of the Charter. Section 8 prohibits unreasonable searches and seizures.

In the Charter Statement, the Minister significantly mischaracterizes his own bill in a manner that makes it appear more Charter-compliant. It could be a handful of honest mistakes, but I’m getting more cynical as my hair gets more grey. (The two may be connected, now that I think about it.)

Anyways, it’s not a huge “GOTCHA!”, but they should acknowledge the mistakes and fix them.

Some background on what Charter Statements are about can be found in the Charter Statement itself:

Section 4.2 of the Department of Justice Act requires the Minister of Justice to prepare a Charter Statement for every government bill to help inform public and Parliamentary debate on government bills. One of the Minister of Justice’s most important responsibilities is to examine legislation for inconsistency with the Canadian Charter of Rights and Freedoms. By tabling a Charter Statement, the Minister is sharing some of the key considerations that informed the review of a bill for inconsistency with the Charter. A Statement identifies Charter rights and freedoms that may potentially be engaged by a bill and provides a brief explanation of the nature of any engagement, in light of the measures being proposed.

So in this particular Charter Statement, there are a couple of troubling and significant mis-statements about the Lawful Access provisions which – surprise! surprise! – make it appear more Charter-compliant.

When discussing the new production order for Subscriber Information, it says:

The judge would have to be satisfied that an offence has or will be committed and that there are reasonable grounds to suspect that the information will assist in the investigation of an offence.

This is not true. Not even close. The conditions for issuing an order are set out in the new, proposed subsection 487.0142(2), which says:

(2) Before making the order, the justice or judge must be satisfied by information on oath in Form 5.‍004 that there are reasonable grounds to suspect that
(a) an offence has been or will be committed under this Act or any other Act of Parliament; and (b) the subscriber information is in the person’s possession or control and will assist in the investigation of the offence.

The judge only has to be satisfied based on a cop’s sworn say-so that there are reasonable grounds to suspect an offence has been or will be committed, and they have reasonable grounds to suspect the subscriber information will assist in the investigation. This is far from the judge having to be “satisfied” that an offence has been committed. The cop swearing the application doesn’t even have to be satisfied that an offence has been or will be committed. It’s enough that the judge believes that there are reasonable grounds to justify the cop’s tingling “Spidey sense”.

In the next paragraph about the production order for subscriber information, the Charter Statement says that this power will be used to “generate leads”, which sounds like a fishing expedition to me. I don’t think that’s a mistake.

We’ve been told that this power is to be used if the police have an IP address associated with someone they suspect is victimizing children, so they can identify THAT person, do an investigation and then get a search warrant. That’s not “generating leads”, as far as I understand that terminology.

The next material misstatement is in the last sentence of that paragraph, which says “if [the judge] chooses to issue an order, the judge would have discretion as to what information is specified in it.” I’m pretty sure that’s incorrect.

The new order power says it is for

ALL the subscriber information that relates to any information, including transmission data, that is specified in the order and that is in their possession or control when they receive the order.

ALL the subscriber information that relates to the identifier that is specified in the order. The form of the order, which is prescribed in the Act, does exactly that. The order is for ALL subscriber information, which is horribly broadly defined. I’m not seeing any discretion here.

I have some issues with the way certain things are characterized, like saying that information that can be subject to a warrantless demand by a cop is not sensitive information.

The way this provision is drafted, it can include going to a family doctor and saying “Do you provide services to David Fraser? What specialists (like psychiatrists) also provide him with services?” I would say I have a high expectation of privacy in that information. They can go to your bank and the definition of subscriber information can compel them to provide a list of all companies you do business with. That merely identifies the client and the services the client receives. But that’s sensitive information and goes well beyond going to a telco and asking “Do you provide service to this number, and what city does the customer live in?”

This is either sloppy or intended to be deceptive. If the government thinks this is defensible, they should defend it on its own actual, honest merits. In just about every lawful access provision in the Bill, they are lowering the bar to make it easier to get information, while widening the net to capture more information than they say they need.

I’ve said it before and I’ll say it again: Parts 14 and 15 need to be taken out of the Bill, put in their own Bill so we can discuss them. I want to have an honest debate with someone who is interested in an HONEST debate. Think about this …. Bill C-2 is the FIRST substantial bill that Mark Carney’s new government introduced in the House of Commons after getting elected. Correct me if I’m wrong – but I’m pretty sure I’m not – no liberal candidate or the present Prime Minister campaigned on any of the new police and national security powers mentioned in Parts 14 and 15 of Bill C-2.

Alberta's privacy law unconstitutionally violates freedom of expression -- again -- in a decision that has implications for All Canadian privacy laws

2025-05-17T19:00:00.006-03:00

You may have seen some headlines that said that Alberta’s privacy law has been declared unconstitutional. Yup, it’s true that at least part of it was and here’s why …..

This case involves Clearview AI Inc. ("Clearview"), a U.S.-based facial recognition company, challenging an order issued by Alberta’s Information and Privacy Commissioner. The order, based on findings from a joint investigation by Canadian federal and provincial privacy regulators, required Clearview to cease offering services in Alberta, stop collecting, using, and disclosing images and biometric data of Albertans, and delete the relevant data already in its possession.

Clearview sought judicial review of the order on a number of grounds, including that it is not subject to the jurisdiction of Alberta and that the Personal Information Protection Act (aka “PIPA”) does not apply to it, the Commissioner adopted an unreasonable interpretation of the words “publicly available” in PIPA and the Personal Information Protection Act Regulation (the “PIPA Regulation”), and the Commissioner’s finding that Clearview did not have a reasonable purpose for collecting, using, and disclosing personal information is unreasonable. Clearview further asserted that the Commissioner’s interpretation of PIPA and the PIPA Regulation is unconstitutional contrary to Charter s 2(b) which guarantees freedom of expression. That last argument is the one we’re going to focus on.

One thing that is really interesting about the case is that the Court did not really have to address the Charter issues. The Commissioner found that Clearview’s purposes were not reasonable, which is necessary for a company to even collect, use or disclose personal information. The Court agreed, and could have just said “not reasonable!” – don’t have to decide the Charter question – just go follow the Commissioner’s order. But the Court delved into the Charter question as well.

It’s also notable that this is the second time that the Alberta statute has been declared to violate the Charter based on “publicly available information” in the Act and the Regulations as being too narrow. That was done by the Supreme Court of Canada in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, when the Act was being applied to video recording by a union at a picket line.

The company at issue in this case, Clearview AI, has been the subject of many privacy investigations around the world. They collect facial images from publicly accessible websites, including social media, and use them to create a biometric facial recognition database, marketed primarily to law enforcement. In 2020, privacy commissioners from Alberta, B.C., Quebec, and Canada investigated Clearview’s operations and concluded in a joint report that its practices violated privacy laws.

In December 2021, Alberta’s Commissioner issued an order directing Clearview to cease operations in Alberta, based on violations of PIPA. The Commissioner essentially said that Clearview must do for Alberta what they agreed to do in setting a lawsuit in Illinois (which is notorious for its biometric laws).

Clearview AI then brought an application for judicial review in the Court of King’s bench, contesting:

Jurisdiction of Alberta’s Commissioner,
The reasonableness of the Commissioner's interpretation of "publicly available" under PIPA,
The constitutionality of PIPA's consent-based restrictions on the collection, use, and disclosure of personal information.

It should be noted that the British Columbia Commissioner issued a similar order, which was upheld by the Supreme Court of British Columbia last year.

In Alberta, as far as the jurisdiction argument went, the Court upheld the Commissioner’s jurisdiction, finding a "real and substantial connection" between Clearview’s activities and Alberta. Clearview had marketed its services in Alberta and its database included images of Albertans. The bar for jurisdiction in Canada is pretty low.

On the statutory interpretation issue, the Court accepted as reasonable the Commissioner’s interpretation that images scraped from the internet, including social media, are not "publicly available" within the meaning of the PIPA Regulation. The Commissioner employed a purposive approach, interpreting the relevant provisions narrowly in light of the quasi-constitutional status of privacy rights.

PIPA, like other privacy regulatory regimes in Canada, provides that consent must be obtained to collect and use “personal information” unless certain exceptions apply. One of the exceptions provided for in PIPA is that the information is “publicly available.” PIPA uses the term “publicly available,” but the definition for those words is found in PIPA Regulation section 7(e). PIPA Regulation s 7(e) provides:

7 ... personal information does not come within the meaning of ... “the information is publicly available” except in the following circumstances: ... (e) the personal information is contained in a publication, including, but not limited to, a magazine, book or newspaper, whether in printed or electronic form, but only if (i) the publication is available to the public, and (ii) it is reasonable to assume that the individual that the information is about provided that information.

The private sector privacy laws of Alberta, British Columbia and Federally have similar, but not identical definitions of what is “publicly available” information that does not require consent for its collection and use. There are other categories, but this decision turned on information in a publication. Here are the three different definitions:

In Alberta, it says

the personal information is contained in a publication, including … but not limited to … a magazine, book or newspaper, whether in printed or electronic form, but only if (i) the publication is available to the public, and (ii) it is reasonable to assume that the individual that the information is about provided that information;

In British Columbia, it does not use “including but not limited to”:

personal information that appears in a printed or electronic publication that is available to the public, including a magazine, book or newspaper in printed or electronic form.

Under PIPEDA’s regulation, the analogous provision reads:

personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

Canadian privacy regulators have interpreted “publication” to exclude social media sites like Facebook and LinkedIn, where Clearview harvests much of its information.

Clearview argued that this narrow interpretation under the Alberta statute and regulation violated its freedom of expression rights under section 2(b) of the Charter of Rights and Freedoms, and could not be saved as a reasonable limitation under section 1 of the Charter.

The Court agreed that:

Clearview’s activities (compiling and using data to deliver a service) were expressive. The consent requirement effectively operated as a prohibition on expression where obtaining consent was impractical.

This amounted to a prima facie infringement of s. 2(b) of the Charter.

I should note that the Alberta Commissioner – ridiculously in my view – argued that the Charter wasn’t even engaged. Here’s what the Court said.

[107] The Commissioner submits that if Clearview’s activity is expressive, it should be excluded from constitutional protection because “the method – mass surveillance – conflicts with the underlying s 2(b) values.” Clearview’s activity, according to the Commissioner, conflicts with the purposes of Charter s 2(b) including the pursuit of truth, participation in the community, self-fulfillment, and human flourishing. The Commissioner offered no authority to support the position that expressive activity could be excluded from protection based on a conflict with underlying constitutional values. Short of violence, all expressive activity is protected by Charter s 2(b).

It’s just a dumb argument to make, in my view.

So once a prima facie infringement is made out, the burden shifts to the government to justify it as a reasonable limitation, prescribed by law that can be justified in a free and democratic society. This follows something called the Oakes test:

The test involves a two-stage analysis: first, the objective of the law must be pressing and substantial; second, the means used to achieve that objective must be proportionate, which requires

a rational connection between the law and its objective,
minimal impairment of the right or freedom, and
a proportionality between the law’s benefits and its negative effects on rights.

In this case, the Court found that there was a Pressing and Substantial Objective: Protecting personal privacy is valid and important. The Court also found that the requirement of consent is logically connected to privacy protection, and thus rationally connected.

The law failed on the “minimal impairment” part of the analysis. The dual requirement of consent and a reasonable purpose, without an exception for publicly available internet data, was overly broad.

In a nutshell, the court has to consider what expressive activities are captured – how broadly the net is cast – and whether everything that is caught in that net is necessary or rationally connected to the pressing and substantial objective.

The Court summarized Clearview’s argument at paragraph 129:

“Clearview asserts that people who put their personal information on the internet without protection do not have a reasonable expectation of privacy. Where there is no reasonable expectation of privacy, the protection of privacy is not a pressing and substantial state objective.”

The Court noted that the way the net is being cast by the Act and the regulations not only captures Clearview’s web-scraping, but it also captures legitimate indexing by beneficial search engines. The Commissioner’s interpretation would exclude search engines, meaning that they would have to get consent for all collection, use and disclosure of personal information obtained from websites.

Here’s what the Court said at paragraph 132 of the decision:

[132] A difficulty with the PIPA consent requirement for personal information publicly available on the internet is that it applies equally to Clearview’s search technology used to create a facial recognition database and regular search engines that individuals use to access information on the internet. … For the most part, people consider Google’s indexing of images and information to be beneficial. And certainly, Albertans use Google and similar search engines for expressive purposes. But according to my interpretation of PIPA and the PIPA Regulation and the Commissioner’s interpretation of those same instruments, Google and similar search engines cannot scrape the internet in Alberta for the purpose of building and maintaining an index of images of people without consent from every individual whose personal information is collected.

The Court then went on to say at paragraphs 136 and 137:

[136] PIPA and the PIPA Regulation are overbroad because they limit valuable expressive activity like the operation of regular search engines. There is no justification for limiting use of publicly available personal information by regular search engines just as there was no justification to limit use of publicly available personal information for reasonable purposes by the union in UFCW Local 401.

[137] Alberta has a pressing and substantial interest in protecting personal information where individuals post images and information to websites and social media platforms subject to terms of service that preserve a reasonable expectation of limited use. This pressing and substantial interest, however, does not extend to the operation of regular search engines. A reasonable person posting images and information to a website or social media platform subject to terms of service but without using privacy settings expects that such images and information will be indexed and retrieved by internet search engines; indeed, that is sometimes the point of posting images and information to the internet without using privacy settings.

Then, at paragraph 138, the court concluded that the “publicly available” exception was too narrow because it specifically would capture general search engines, which do not engage the “pressing and substantial limitation”

[138] The public availability exception to the consent requirement in PIPA and the PIPA Regulation is source-based, not purpose-based. Because it is source-based, it applies to regular internet search engines that scrape images and information from the internet like Clearview even if they use images and information for a different purpose. I find that PIPA and the PIPA Regulation are overbroad because the definition of “publication” in PIPA Regulation s 7(e) is confined to magazines, books, newspapers, and like media. Without a reasonable exception to the consent requirement for personal information made publicly available on the internet without use of privacy settings, internet search service providers are subject to a mandatory consent requirement when they collect, use, and disclose such personal information by indexing and delivering search results. There is no pressing and substantial justification for imposing a consent requirement on regular search engines from collecting, using, and disclosing unprotected personal information on the internet as part of their normal function of providing the valuable service of indexing the internet and providing search results.

The court essentially concluded that it was OK to limit what Clearview is doing, but it is NOT OK to limit what search engines are doing. The law, as written, does not distinguish between the “bad” and the “good”, and as a result, the law did not “minimally impair” this important Charter right.

On the final balancing, the Court concluded that the harm to freedom of expression was not outweighed by the benefit to privacy.

The Court declared that PIPA ss. 12, 17, and 20 and PIPA Regulation s. 7 unjustifiably infringed s. 2(b) of the Charter and could not be saved under s. 1 of the Charter, to the extent that they prohibited the use of publicly available internet data for reasonable purposes.

The Court upheld the Commissioner’s jurisdiction and found her statutory interpretation reasonable. However, the impugned provisions of PIPA and the Regulation were declared unconstitutional insofar as they infringed freedom of expression by unduly restricting the use of publicly available information online.

I fully expect that this decision will be appealed, and I don’t know if the British Columbia decision has been appealed.

In the big picture, though this decision is not binding on the Federal Commissioner, it pretty strongly stands for the proposition that PIPEDA’s publicly available information exception is also unconstitutional. This has implications for “the right to be forgotten” and for collecting data for training AI models, both of which are currently before the federal commissioner.

Drones and trespass law in Canada: You don't own your airspace over your property

2024-12-01T11:34:00.003-04:00

A legal question that sometimes comes up for drone pilots is whether you can legally fly over private property and whether a property owner has any recourse against a drone pilot. It comes up on a daily basis for folks like DJAudits in the UK on his YouTube channel, where he educates property owners and security guards on this issue, whether they want to know or not.

I’m a recreational drone operator. I’ve advised other operators and have experience with investigations by Transport Canada related to RPV/UAV activities. I’ve been an invited speaker on this topic at various drone expos and to media lawyers. I would not call myself a drone lawyer, but I think I know more about this than most lawyers. I have another YouTube channel where I post my drone videos, mostly of Beautiful Nova Scotia. I’ll put a link below.

And I should note what I’m about to talk about is applicable to Canada only. The law may be similar in other places, but I only practice Canadian law.

Any legal claims like this would be governed by the common law, which is the body of law applied and interpreted by judges. There are no statutes passed by parliament or provincial legislatures that we can look to for the answer. And we really don’t have any reported cases in Canada that deal with trespass claims involving drones.

The one case that comes the closest is Reynolds v Deep Water Recovery Ltd from the Supreme Court of British Columbia. In that case a drone operator and environmental activist was sued by a ship breaking company for trespass and nuisance, among other claims. It started when she sued the company alleging that they stole her drone and returned it damaged. She also alleged assault and harassment. The company filed a counterclaim alleging trespass, nuisance, invasion of privacy and the illegal operation of a drone.

She then applied to have the company’s claims thrown out as a “strategic lawsuit against public participation.” The Court didn’t address whether flying the drone over her property was actually trespassing. Assuming this goes to trial, we’ll have to wait and see for this first of a kind decision.

But that doesn’t mean that the courts haven’t considered whether a property owner “owns” the airspace over the property. There’s a case called Didow v. Alberta Power Limited, which was between a property owner and a power company. The power company constructed a power line on the municipal road allowance along the side of the plaintiff’s land. The poles themselves were two feet outside the property line, but the cross-arms conductors and attaching wires at the top of each pole protruded six feet into the airspace above the plaintiff’s land. It went to the Alberta Court of Appeal, where the only question was whether that intrusion above the plaintiff’s property was a trespass.

If you’re interested in geeking out about this question, the court of appeal decision is FOR YOU! Justice Haddad had to go through all the old authorities and started with this really old “legal maxim”. I won’t try to pronounce the latin, but it means “whoever's is the soil, it is theirs all the way to Heaven and all the way to Hell”. Essentially, if you own the land, you own the skies above it and the dirt below it.

It has been traced back to the 13th century, long before there was any kind of aircraft. Since then, there has been much litigation that has ultimately scaled back the principle from the latin maxim.

The Alberta court of appeal favourably quoted from a 1977 English case called Bernstein v Skyviews. Though it’s from decades ago, it did deal with a case where the defendant flew over the plaintiff’s country house for the explicit purpose of taking photos of the property. In this case, the English Court of Queen's Bench said:

“… The problem is to balance the rights of an owner to enjoy the use of his land against the rights of the general public to take advantage of all that science now offers in the use of air space. This balance is in my judgment best struck in our present society by restricting the rights of an owner in the air space above his land to such height as is necessary for the ordinary use and enjoyment of his land and the structures on it, and declaring that above that height he has no greater rights in the air space than any other member of the public.”

So your exclusive rights to the airspace over your property only extend as high as is necessary for your usual enjoyment of your land and whatever’s built on it.

If you currently have bare land and then build a five storey structure and put up a windmill, then the airspace that you exclusively control goes up.

The Alberta Court of Appeal also quoted from a 1946 decision of the Supreme Court of the United States called United States v Causby. In this case, a farmer's farm was located close to an airport and the planes flying over the farm were hurting – even killing – his chickens. Here’s what the Supreme Court of the United States said:

“The landowner owns at least as much of the space above the ground as he can occupy or use in connection with the land. … The fact that he does not occupy it in any physical sense-by the erection of buildings and the like - is not material. … While the owner does not in physical manner occupy that stratum of airspace or make use of it in the conventional sense, he does use it in somewhat the same sense that space left between buildings for the purpose of light and air is used. The superadjacent airspace at this low altitude is so close to the land that continuous invasions of it affect the use of the surface of the land itself. We think that the landowner, as an incident to his ownership, has a claim to it and that invasions of it are in the same category as invasions of the surface.”

The court concluded that if you permanently erect something above someone’s property at a height they might use the space, then that IS trespassing. “In any event, they serve to make clear that intrusion by an artificial or permanent structure into the airspace of another is forbidden as a trespass.”

The part that matters for drone operators is transient use of airspace at a height unlikely to affect the landowner is NOT a trespass. The door is still open for consideration of intrusions at lower altitudes. I think the cases would lead to the conclusion flying a drone above someone’s property at a low level – like below the roofline – would be a trespass.

But it can be something called a “nuisance”. A nuisance is interfering with someone’s enjoyment of their property. The interference has to be substantial, and I think it would have to be pretty outrageous or regularly repeated.

I can imagine a scenario in which someone has a backyard pool with a privacy fence around it. If someone hovered a drone over the pool while people are sunning themselves, the presence of the drone could interfere with the usual enjoyment of the pool.

And the nuisance can be more than just the mere presence there; a court could take into account the noise made by the drone. I’m pretty sure if I installed a dozen of these drone hangars in my back yard and ran drone sorties from them 24/7, my neighbour would have a case that I’ve created a nuisance.

It should also be noted that serious interference with someone’s lawful enjoyment of their property can also be a criminal code offence of mischief. I think it would have to be pretty serious and I can’t find any cases that have considered drones as causing the mischief.

Appeal court reverses Facebook’s Canadian privacy win

2024-09-20T09:05:00.001-03:00

On September 9, 2024, the Federal Court of Appeal did something very interesting. A unanimous three judge panel fully reversed the factual conclusions of the court below to conclude that Facebook had violated the Personal Information Protection and Electronic Documents Act in connection with the Cambridge Analytica scandal. And then rather than sending it back to the Federal Court to be determined by another judge, they reached their own conclusions and invited submissions on remedy.

It is not common for an appeals court to reverse factual findings like that to begin with. They can only do so if they find “palpable and overriding error for questions of fact or mixed fact and law”. And it’s pretty clear that’s what the appeals court found.

The earlier decision, rendered in April 2023, was – I thought – pretty embarrassing to the Privacy Commissioner.

You may recall from 2019, when the Privacy Commissioner of Canada and the Information and Privacy Commissioner of British Columbia released, with as much fanfare as possible, the result of their joint investigation into Facebook related to the Cambridge Analytica incident. That incident took place around 2013 to 2015, so around ten years ago.

Both of the Commissioners concluded, at that time, that Facebook had violated the federal and British Columbia privacy laws, principally related to transparency and consent.

Because Facebook did not accept that finding, the Privacy Commissioner of Canada commenced an application in the Federal Court to have the Court make the same determination and issue a whole range of orders against the social media company.

The hearing of that application took place in March 2023 and a decision was released from the federal court just over a month later. It concluded that the Privacy Commissioner did not prove that Facebook violated our federal privacy law in connection with the Cambridge Analytica incident.

Just a little bit of additional procedural information: under our current privacy law, the Privacy Commissioner of Canada does not have the ability to issue any orders or to levy any penalties. What can happen after the Commissioner has released his report of findings is that the complainant, or the Commissioner with the complaint’s okay, can commence an application in the Federal Court of Canada. This is what is called a de novo proceeding.

The finding from the Privacy Commissioner below can be considered as part of the record, but it is not a decision being appealed from. Instead, the applicant, in this case, the Privacy Commissioner, has the burden of proving to a legal standard that the respondent has violated the federal privacy legislation.

This has to be done with evidence, which is where the trial judge concluded the privacy commissioner fell significantly short in the Facebook case. I did a video on that decision, which I’ll link to below.

The Old Facebook

To understand this decision, we have to understand what it was all about. It has to be remembered that the events being investigated took place almost 10 years ago, and the Facebook platform is substantially different now compared to what it looked like then. If you were a Facebook user from that time, you probably remember a whole bunch of apps running on the Facebook platform. You probably were annoyed by friends who were playing Farmville and sending you invitations and updates. Well, these don't exist anymore. Facebook largely is no longer a platform on which third party apps will run.

At the time, users could install apps and the app developers could get access to that user’s personal information. Those apps could also get access to some information related to the friends of the installing user. The installing user had some knowledge and control, but that person’s friends were largely ignorant of the fact and had no control over that.

In a nutshell, at the time, one of the app developers that used the Facebook platform was a researcher later associated with a company called Cambridge analytica. They had an app running on the platform called “this is your digital life”. It operated for some time in violation of Facebook's terms of use for app developers, hoovering up significant amounts of personal information and then selling and/or using that information for, among other things, profiling and advertising targeting. Appeal decision

The Appeal Court's Decision

The questions put to the Federal Court of Appeal was whether the judge below had made a reviewable error when he concluded that there was not sufficient evidence to prove that Facebook did not get adequate consent from users and whether they had failed to safeguard user data.

The Court of Appeal concluded that there was sufficient evidence to reach these conclusions and the judge below made an error in not seeing it as sufficient. The standards for consent are objective At the Federal Court level, the judge said that the Privacy Commissioner had failed to bring sufficient evidence to prove that Facebook did not get adequate user consent for the collection, use and disclosure of their personal information and that of their friends. The judge below said it would have been helpful to have expert evidence on users’ expectations and what Facebook could have done differently.

The Federal Court of Appeal essentially said that’s asking the wrong question, based on a premise that the standard of consent is subjective. PIPEDA uses the term “reasonable” in a number of places. The Federal Court of Appeal said the standard for consent in PIPEDA is an objective standard, and does not require that sort of evidence.

On a daily basis, courts deal with determining what is reasonable in a whole range of cases without that specialized evidence. Judges can apply common sense. The Court described the legal “reasonable person” at paragraph 63:

[63] The reasonable person is a fictional person. They do not exist as a matter of fact. The reasonable person is a construct of the judicial mind, representing an objective standard, not a subjective standard. Accordingly, a court cannot arbitrarily ascribe the status of “reasonable person” to one or two individuals who testify as to their particular, subjective perspective on the question. As Evans J.A. wrote for this Court: “determining the characteristics of the ‘reasonable person’ presents difficulties in a situation where reasonable people may view a matter differently, depending, in part, on their perspective… However, the view of the reasonable person in legal tests represents a normative standard constructed by the courts, not an actuality that can be empirically verified” (Taylor v. Canada (Attorney General) (C.A.), 2003 FCA 55, [2003] 3 F.C. 3 at para. 95).

The Court of Appeal said, at paragraph 60 of the decision:

[60] Subjective evidence does not play a role in an analysis focused on the perspective of the reasonable person.
[61] The meaningful consent clauses of PIPEDA, along with PIPEDA’s purpose, pivot on the perspective of the reasonable person. Section 6.1 of PIPEDA protects an organization’s collection, use, or disclosure of information only to the extent that a reasonable person would consider appropriate in the circumstances. Clause 4.3.2 of PIPEDA asks whether an individual could have “reasonably underst[ood]” how their information would be used or disclosed. (See also section 3 and clause 4.3.5 of PIPEDA).

The Court of Appeal then said at Paragraph 70:

[70] It was the responsibility of the Court to define an objective, reasonable expectation of meaningful consent. To decline to do so in the absence of subjective and expert evidence was an error.

I think the court is both right and wrong here. There are times in PIPEDA where a clearly objective standard is created. Look at section 5(3), which refers to the mythical, legal “reasonable person”:

Appropriate purposes (3) An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

We are clearly looking at THE REASONABLE PERSON ie the judge, applying this legal fiction.

But in other places in PIPEDA, we’re talking about conclusions about THE person who is being asked to give consent to the collection, use and disclosure of personal information:

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

Is it reasonable (objective standard) to expect that THE individual at issue understands? That’s an objective assessment of a subjective situation.

In the consent principle, “reasonable” is used a few times.

4.3.2 - The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

Reasonable is used twice here. Was the effort reasonable? That’s objective, but in light of “the individual” in question, which seems subjective. But then it says “that the individual can reasonably understand”. That seems to suggest a reference to the individual at issue, who will be subjective.

A little further down, that seems to really apply a mixed objective/subjective assessment:

4.3.5 - In obtaining consent, the reasonable expectations of the individual are also relevant.

You’re looking at the reasonable expectations of THE INDIVIDUAL. It doesn’t say the reasonable expectations of a reasonable person, or the expectations of the reasonable person.

So I think, applied to this case, we’re really talking about the reasonable expectations of a Facebook user in 2014, not a fictional creature like the “man on the clapham omnibus.”

Friends’ information

The next conclusion of the Federal Court of Appeal was much much easier to reach on the record before them. The Federal Court of Appeal very strongly determined that Facebook did not get adequate consent from friends of users who installed apps on the platform where those apps collected the personal information of those friends. When users installed apps, the app developer was required to inform the user about what personal information would be collected by the developer and how it would be used. At least in theory, that user could make an informed decision about whether to use the app or maybe can calibrate what data the app could access. However, if the app collected information about that user’s friends, those friends were not given notice or an opportunity to consent. On this point, the Federal Court of Appeal said:

[76] This distinction between users and friends of users is fundamental to the analysis under PIPEDA. The friends of users could not access the [Granular Data Permissions] process on an app-by-app basis and could not know or understand the purposes for which their data would be used, as required by PIPEDA.
[77] The only conclusion open to the Federal Court on the evidence was that Facebook failed to obtain meaningful consent from friends of users to disclose their data, and thus breached PIPEDA. This finding hinges mainly on Facebook’s different consent practices for users of apps and those users’ friends, and Facebook’s user-facing data policies and practices with third-party apps more broadly. To the extent this evidence was acknowledged by the Federal Court, it made a palpable and overriding error in its conclusion that there was no breach of PIPEDA.
[78] Facebook did not afford friends of users who downloaded third-party apps the opportunity to meaningfully consent to the disclosure of their data, since friends of users were simply unable to review those apps’ data policies prior to disclosure. This is not in accordance with PIPEDA: clause 4.3.2 of PIPEDA requires that organizations “make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used”.

The fact that users are informed via the privacy policy that this could happen was not sufficient, in the Court’s view.

Yeah, it seems very difficult to reach the conclusion that the friends had given knowledgeable, informed consent when they were not knowledgeable about the sharing of their personal information and were never given an opportunity to consent.

Privacy Policies are not sufficient

The Federal Court of Appeal raised one of the big challenges of privacy in the modern, online age. It says privacy policies are too long and nobody reads them. In a nutshell, long privacy policies are not the foundation for informed consent.

Trust but verify

On the question of whether Facebook fulfilled its obligations to safeguard users’ personal information, the Court of Appeal found that Facebook failed to safeguard user data because it did not review the privacy policies of third-party apps, and it did not act on red flags raised by apps like “this is your digital life”. Facebook's failure to review privacy policies or act on red flags amounted to a failure to adequately monitor third-party apps.

While companies can generally rely on the good faith performance of contracts, like the terms that all app developers had to agree to, the Court in this case raises the bar to “trust but verify” where you know there’s a risk of bad actors who will not adhere to those terms. The Court of Appeal specifically said at paragraph 117:

[117] Facebook is entitled to rely on the good faith performance of contracts, but only to a point. As discussed above, Mark Zuckerberg admitted that it would be difficult to guarantee that there were no “bad actors” using its Platform. It is incongruent to expect a bad actor to carry out a contract in good faith. Facebook therefore should have taken further measures to monitor third-party contractual compliance.

In particular, the Court noted that there were a number of red flags with this particular app developer that should have been pursued more promptly and perhaps with greater consequences to the developer.

This does change the analysis a bit. My take, which I think aligns with many of Facebook’s arguments, are that once someone has consented to their information being disclosed to a third party like an app developer, that app developer is the custodian of your data and they are now 100% responsible for securing it and living up to the legal obligations related to that data. The party that disclosed it, with consent, ceases to be responsible for it in the hands of the app developer.

I think what the Court of Appeal is getting at is that in a case like this, Facebook can’t be sure of the bona fides of the developer, Facebook continues to have some responsibility for the data. And since the Court concluded Facebook had reason to know that the people behind this particular act were perhaps – maybe likely – bad actors, permitting them to continue on the platform was inadequately safeguarding users’ data.

Takeaways

So the main takeaways from this decision is that consent and expectations of privacy seem to be fully objective, without regard to the individual at issue or the population we’re talking about. I’m not sure I fully agree with this.

The Court of Appeal is also clear – about something I’ve agreed with for some time – that privacy policies are not where you get knowledgeable, informed consent. People don’t read them and courts are starting to understand this. You need just in time consent, clearly articulated to the individual and I would still say tailored to the particular audience with whom you’re dealing.

And finally, trust but verify. You can rely on the good faith of third parties to live out their obligations under an agreement, unless you can’t. If there’s evidence to suggest they are bad actors, you may not be able to rely on that. Watch out for red flags. Trust but verify.

It will be interesting to see if Facebook seeks leave to appeal to the Supreme Court of CAnada. And it will be very interesting to see what remedies the OPC and Facebook agree to. And if they can’t agree, it’ll be interesting to see what remedies the FCA imposes. THAT will also be precedent setting.

Important new Ontario court decision on privilege in incident response documentation

2024-05-07T10:20:00.003-03:00

The Ontario divisional court has just released a decision, LifeLabs LP v. Information and Privacy Commr. (Ontario), 2024 ONSC 2194, that should grab the attention of Canadian lawyers who work in cyber incident response. I don’t know whether it will be appealed, but the logic of the decision is pretty sound. But I expect this isn’t over.

In a nutshell, after a significant ransomware incident, LifeLabs was assisted by well-known cybersecurity and forensic consultants for the investigation, remediation and negotiation with the ransomware bad guys. As required by the relevant privacy laws of those provinces, they notified the privacy commissioners of British Columbia and Ontario, and the commissioners started a joint investigation. In connection with their investigation, the commissioners demanded to see the consultants’ reports and LifeLabs claimed they were privileged.

Not surprisingly, the ransomware incident was followed by a number of class action lawsuits that were still pending at all material times.

In June 2020, the Commissioners issued a joint decision finding that LifeLabs had provided insufficient evidence to back up the privilege claim. They were also ordered to hand over the consultants’ reports. So LifeLabs sought judicial review of the order in the Ontario Divisional Court. The Court just released its decision, upholding the IPC’s order. I’m not sure why it took so long to get to a hearing.

According to the IPC’s decision, there were five categories of records at issue:

i. The investigation report prepared by the cybersecurity firm hired by LifeLabs, which described how the cyberattack occurred.

ii. The email correspondence between the cyber intelligence firm and the cyber-attackers after the discovery of the attack by LifeLabs.

iii. An internal data analysis prepared by LifeLabs on April 28, 2020 to describe which individual health information had been affected by the breach and to notify those affected pursuant to ss. 12(1) and 12(2) of the PHIPA.

iv. A submission from LifeLabs to the Commissioners dated May 15, 2020 in response to certain specific questions, communicated through legal counsel.

v. The report of Kevvie Fowler, Deloitte LLP dated June 9, 2020 prepared as part of the representations by LifeLabs and submitted to the Commissioners for that purpose.

Other than the internal LifeLabs assessments, the records were created by consultants retained by LifeLabs’ lawyers. The cybersecurity firm was already engaged by LifeLabs to assess the company’s security, and it was actually them who discovered the incident. They were instructed to provide their reports on the incident to legal counsel.

The court reviewed the IPC’s privilege decision on a standard of correctness and found that it was correct.

Before getting into the decision, it should be noted that LifeLabs claimed “solicitor client privilege” and “litigation privilege”. They are related and similar, but not the same.

Solicitor client privilege protects communications that are made in confidence between a lawyer and their client (or third party acting on behalf of their client). In order to be privileged, the communication must be made for the purpose of seeking or giving legal advice, and the parties must have intended the communication to be confidential. Just because there’s a lawyer in the mix doesn’t make it privileged, and a third party’s involvement, like a consultant retained by the client or the lawyer, doesn’t waive that privilege.

Litigation privilege is intended to create a “zone of privacy” within which counsel can prepare draft questions, arguments, strategies or legal theories, in anticipation of litigation and for the purpose of preparing for that litigation. Documents created by others, to assist counsel, in preparing for litigation can also fit into this category. Notably, the privilege only exists while the litigation is anticipated or ongoing.

If you read the IPC’s decision, you’ll see that not much information was provided by LifeLabs (or at least not to the IPC’s satisfaction) to demonstrate that the five categories of records fit into either solicitor client privilege or litigation privilege. In large measure, the IPC decided that LifeLabs HAD to investigate the incident and HAD an obligation to provide factual information to the IPC. It doesn’t look like the IPC was looking for actual advice given by counsel or anything related to LifeLabs’ trial strategy for their ongoing litigation.

Ultimately, the decision turned on LifeLabs not providing evidence to the IPC’s satisfaction to back up their privilege claims.

The main conclusions, simplified a bit, are that:

1.         Facts are not privileged, even if they were collected or compiled by a lawyer.
2.         If you have a statutory obligation to investigate and provide information to the regulator, the facts that are discovered in that investigation are not privileged.
3.         Solicitor client privilege only protects communications that are made for the purpose of seeking or obtaining legal advice.
4.         Litigation privilege only protects communications and records that are created for the dominant purpose of preparing for litigation.

This is not earth shattering, but it’s a reminder of how the law of privilege works in Canada.

The court emphasized that even if certain communications or documents are privileged, the facts referred to or reflected in those communications may not be privileged if they exist independently, outside of the privileged context. Facts that have an independent existence outside of solicitor-client privileged communications are not automatically privileged.

The court quoted and agreed with paragraph 49 of the IPC’s decision:

Even if the communication is privileged, the facts referred to or reflected to in those communications are not privileged if they exist outside the documents and are relevant and otherwise subject to disclosure. Some facts have a life outside the communication between lawyer and client but have also been communicated within the solicitor-client relationship. Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. When deciding if such facts are privileged, one must keep one eye on the need to protect the freedom and trust between solicitor and client and another eye on the potential use of privilege to insulate otherwise discoverable evidence. While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.

The court further clarified that simply depositing a document or providing counsel with a copy of a document does not automatically extend privilege to the original document. The protection of privilege is intended to safeguard the communication between lawyer and client and the adversarial preparation for litigation, not the underlying facts themselves.

Therefore, the court concluded that facts concerning the investigation or remediation, even if communicated within a privileged context, may not be privileged if they have an independent existence outside of privileged documents.

If an organization has a legal obligation to investigate, remediate and report to the privacy commissioner, interjecting lawyers into the process does not relieve the organization of its obligation to report to the commissioner. This obligation includes cooperating with the commissioner's inquiries and providing information necessary for investigations.

The Court wrote:

[76] Health information custodians, such as LifeLabs, cannot defeat these responsibilities by placing facts about privacy breaches inside privileged documents. Although the claims of privilege here were rejected, even if they had been accepted, this would not have defeated the ON IPC’s duty to inquire into the facts about the data breach within the control and knowledge of LifeLabs. This result flows not only from the ON IPC’s statutory mandate, but also from how litigation privilege and solicitor client privilege function.

…

[79] Thus, the IPC’s statutory duty to inquire, and LifeLabs’ duty to respond, does not permit a claim of litigation privilege over facts obtained through its lawyers, even where those facts might also play a role in defending against parallel civil litigation. As Nordheimer, J. wrote in R. v. Assessment Direct, at para. 10, “the privilege does not protect information that would otherwise have to be disclosed”. LifeLabs did not identify any litigation strategy that would be disclosed in the Investigation Report because of the Privilege Decision.

On this point, the Court agreed with the findings of the IPC:

[80] Similarly, solicitor-client privilege does not extend to protect facts that are required to be produced pursuant to statutory duty. The ON IPC correctly articulated the law when it stated at para. 49:

… Facts that have an independent existence outside of solicitor-client privileged communications are not privileged. … While privilege is jealously guarded it must be interpreted to protect only what it is intended to protect and nothing more.”

Furthermore, the court emphasized that organizations cannot use claims of privilege to shield facts about privacy breaches from the commissioner. Even if privilege is claimed over certain documents or information, it does not absolve the organization from its duty to cooperate with the commissioner's investigation and provide relevant facts. The court noted that placing unpalatable facts within privileged documents to avoid investigative orders would undermine the purpose of regulatory oversight and accountability.

Just saying something is privileged does not make it privileged. Including a lawyer in a conversation does not make it privileged. Having the lawyer hire the consultant does not automatically make it privileged.

The IPC and the Court noted that the cybersecurity consulting firm had a prior retainer with LifeLabs related to what it was doing before the incident, during the incident and afterwards. Simply having the report related to the incident addressed to counsel didn’t make that report privileged. The IPC referred to a US case called In re Capital One, which LifeLabs said was an error. The court disagreed with LifeLabs, and reached the same conclusion as the IPC:

[90] I disagree. The In re Capital One case affords persuasive authority to support a finding that where a company has a prior retainer with a cybersecurity firm to provide essentially the same services before and after a breach, inserting counsel’s name into the contract and stating that the deliverables would be made to counsel on behalf of the client, does not render any report prepared subject to the U.S. work product doctrine, which is akin to Canada’s litigation privilege.

Interestingly, the IPC in their March 2020 decision on privilege left the door open for LifeLabs to prove that portions of the records may include information that is subject to solicitor client or litigation privilege.

I would have liked to have seen a bit more analysis of what is reasonably contemplated litigation and dominant purpose, in the context of the discussion of litigation privilege. The reality is that in the aftermath of an incident like this, litigation is almost certain to follow. Much of the response or even the approach to the incident response is informed by that likelihood. Many records are created in anticipation of defending litigation, but those records are also useful for (or maybe necessary for) dealing with the commissioner’s investigation. Is 50/50 dominant enough? And some of these records would be created because that’s what’s expected of a reasonably prudent company. Is 33/33/33 dominant enough? Should we create different tracks in incident response, assigning certain investigators to the litigation track and others to the commissioner reporting track?

Maybe we should consider amending our privacy laws (or Evidence Acts more generally) to say that the provision of information to a regulator pursuant to a statutory duty does not amount to a waiver of privilege as far as third parties are concerned.

I think lawyers who work in this area will have some interesting discussions about this decision.

It will be interesting to consider how this affects certain activities that take place outside of the context of dealing with an active incident. For example, I may be retained by a client to provide them with my assessment of whether they are complying with their safeguarding obligations under privacy laws. Often, an engagement like that involves working with expert consultants who examine the network security, do penetration testing and benchmark against best practices. New facts are uncovered that will be included in my opinion and advice to the client, and at that stage there is no obligation to assist any privacy regulator in that endeavour. The new facts were “uncovered” or discovered only for the purpose of providing legal advice. I think there are arguments that can be made in both directions regarding whether those new facts can be privileged. That’s a discussion for another day …

I should add this decision doesn’t create any new law about privilege. Nor does it put a dizzying spin on privilege law, but it serves as a reminder that you can’t throw a blanket of privilege over everything associated with incident response. I also don’t think it does away with privilege in connection with incident response. I have provided a lot of advice to a lot of organizations, and I’ve worked with a lot of outside consultants in that context. I remain confident that my communications with my clients, in the context of them seeking my legal advice, is untouched by this decision.

Canada's New "Online Harms" bill - and overview and a few critiques

2024-03-04T08:40:00.001-04:00

It is finally here: the long-anticipated Online Harms bill. It was tabled in Parliament on February 26, 2024 as Bill C-63. It is not as bad as I expected, but it has some serious issues that need to be addressed if it is going to be Charter-compliant. It also has some room for serious improvement and it represents a real missed opportunity in how it handles “deepfakes”, synthetic explicit images and videos.

The bill is 104 pages long and it was just released, so this will be a high level overview and perhaps incomplete. But I will also focus on some issues that leapt out to me on my first few times reading it.

In a nutshell, it does a better job than the discussion paper first floated years ago by not lumping all kinds of “online harms” into one bucket and treating them all the same. This bill more acutely addresses child abuse materials and non-consensual distribution of intimate images. I think the thresholds for some of this are too low, resulting in removal by default. The new Digital Safety Commission has stunning and likely unconstitutional powers. As is often the case, there’s too much left to the regulations. But let’s get into the substance.

Who does it apply to?

So what does it do and who does it apply to? It applies to social media companies that meet a particular threshold that’s set in regulation. Social media companies are defined as:

social media service means a website or application that is accessible in Canada, the primary purpose of which is to facilitate interprovincial or international online communication among users of the website or application by enabling them to access and share content. (service de média social)

It also specifically includes: (a) an adult content service, namely a social media service that is focused on enabling its users to access and share pornographic content; and (b) a live streaming service, namely a social media service that is focused on enabling its users to access and share content by live stream.

This seems intended to capture sites like PornHub and OnlyFans, but I think there are arguments that could be made to say that they'll not fit within that definition.

It specifically excludes services that do not permit a user to communicate to the public (s. 5(1)) and carves out private messaging features. So instead of going after a very long list of service providers, it is much more focused, but this can be tailored by the minister by regulation.

New bureaucracy

The online news act creates a whole new regulatory bureaucracy, which includes the Digital Safety Commission, the Digital Safety Ombudsperson and the Digital Safety Office. The Digital Safety Commission is essentially the regulator under this legislation and I'll talk a little bit later about what that its role is. The Ombudsperson is more of an advocate for members of the public and the Digital Safety Office is the bureaucracy that supports them both. As an aside, why call the bill the “Online Harms Act” but call the Commission the “Online Safety Commission”? We have a Privacy Act and a Privacy Commissioner. We have a Competition Act and a Competition Commissioner. We have a Human Rights Act and a Human Rights Commissioner. In this bill, it’s just inelegant.

Duty to act responsibly

The legislation will impose a duty to act responsibly with respect to harmful content by implementing processes and mitigation measures that have to be approved by the Digital Safety Commissioner of Canada. This is extremely open-ended and there is no guarantee or assurance that this will be compatible with the digital safety schemes that these companies would be setting up in order to comply with the laws of other jurisdictions. We need to be very careful that “made in Canada Solutions” don't result in requirements that are disproportionately burdensome in light of our market size.

The large social media companies that immediately come to mind already have very robust digital safety policies and practices, so whatever is dictated by the Digital Safety Commissioner should be based on existing best practices and not trying to reinvent the wheel.

If you are a very large social media company, you likely are looking to comply with the laws of every jurisdiction where you are active. Canada is but a drop in the internet bucket and work done by organizations to comply with European requirements should be good enough for Canada. If the cost of compliance is too onerous, service providers will look to avoid Canada, or will adopt policies of removing everything that everyone objects to. And the Social Media companies will be required to pay for the new digital bureaucracy, so that adds significantly to their cost of doing business in Canada.

In addition to having to have government approved policies, the Bill does include some mandatory elements like the ability of users to block other users and flag harmful content. They also have to make a “resource person” available to users to hear concerns, direct them to resources and provide guidance on the use of those resources.

Age appropriate design code

One thing that I was blown away by is largely hidden in section 65. It reads …

Design features

65 An operator must integrate into a regulated service that it operates any design features respecting the protection of children, such as age appropriate design, that are provided for by regulations.

I was blown away by this for two reasons. The first is that it gives the government the power to dictate potentially huge changes or mandatory elements of an online service. And they can do this by simple regulation. Protecting children is an ostensible motive – but often a pretext – for a huge range of legislative and regulatory actions, many of which overreach.

The second reason why I was blown away by this is that it could amount to an “Age Appropriate Design Code”, via regulation. In the UK, the Information Commissioner’s Office carried out massive amounts of consultation, research and discussion before developing the UK’s age appropriate design code. In this case, the government can do this with a simple publication in the Canada Gazette.

Harmful content

A lot of this Bill turns on “what is harmful content”? It is defined in the legislation as seven different categories of content, each of which has its own specific definition. they are..

(a) intimate content communicated without consent;

(b) content that sexually victimizes a child or revictimizes a survivor;

(d) content used to bully a child;

(e) content that foments hatred;

(f) content that incites violence; and

(g) content that incites violent extremism or terrorism.‍

Importantly, the bill treats the first two types of harmful content as distinct from the rest. This actually makes a lot of sense. Child sexual abuse materials are already illegal in Canada and is generally easy to identify. I am not aware of any social media service that will abide that sort of content for a second.

The category of content called “intimate content communicated without consent” is intended to capture what is already illegal in the Criminal Code related to the non-consensual distribution of intimate images. The definition in the online harms bill expands on that to incorporate what are commonly called “deepfakes”. These are images depicting a person in an explicit manner that are either modifications of existing photographs or videos, or are completely synthetic as the result of someone's imagination or with use of artificial intelligence.

I 100% support including deepfake explicit imagery in this Bill and I would also 100% support including it in the Criminal Code given the significant harm that it can cause to victims, but only if the definition is properly tailored. In the Online Harms bill, the definition is actually problematic and potentially includes any explicit or sexual image. Here is the definition, and note the use of “reasonable to suspect”.

intimate content communicated without consent means

(a) a visual recording, such as a photographic, film or video recording, in which a person is nude or is exposing their sexual organs or anal region or is engaged in explicit sexual activity, if it is reasonable to suspect that

(i) the person had a reasonable expectation of privacy at the time of the recording, and

(ii) the person does not consent to the recording being communicated; and

(b) a visual recording, such as a photographic, film or video recording, that falsely presents in a reasonably convincing manner a person as being nude or exposing their sexual organs or anal region or engaged in explicit sexual activity, including a deepfake that presents a person in that manner, if it is reasonable to suspect that the person does not consent to the recording being communicated.‍ (contenu intime communiqué de façon non consensuelle)

So what is the problem? The problem is that the wording “reasonable grounds to suspect" cannot be found in the Criminal Code definition for this type of content and there is a very good reason for that. Either content is consensual or it is not. In the Criminal Code at section 162.1, it reads:

(2) In this section, "intimate image" means a visual recording of a person made by any means including a photographic, film or video recording,

(a) in which the person is nude, is exposing his or her genital organs or anal region or her breasts or is engaged in explicit sexual activity;

(b) in respect of which, at the time of the recording, there were circumstances that gave rise to a reasonable expectation of privacy; and

(c) in respect of which the person depicted retains a reasonable expectation of privacy at the time the offence is committed.

In the Criminal Code, either there is consent or there is not. In this Bill, the threshold is the dramatically low “reasonable to suspect”. All you need is a reasonable suspicion and it is not just with respect to the circumstances at the time the image was taken or created, assuming we're dealing with an actual person and an actual image. The courts have said

The words “to suspect” have been defined as meaning to “believe tentatively without clear ground” and “be inclined to think” ... suspicion involves “an expectation that the targeted individual is possibly engaged in some criminal activity. A ‘reasonable’ suspicion means something more than a mere suspicion and something less than a belief based upon reasonable and probable grounds”.

You can be 85% confident that it is consensual, but that remaining 15% results in reasonable suspicion that it is not. When you're dealing with the section related to purported deep fakes, it does not specify that the image has to be of an actual person, whether synthetic or not. It could in fact be a completely fictional person that has been created using photoshop. It would cause no risk of harm to anyone. Given that the image is artificial and the circumstances of its creation are completely unknown, as is the person supposedly depicted in it, you can't help but have reasonable grounds to suspect that it “might” have been communicated nonconsensually.

Deepfakes of actual people created using artificial intelligence is a real thing and a real problem. But artificial intelligence is actually better at creating images and videos of fake people. You should not be surprised that it is being used to create erotic or sexual content of AI-generated people. While it may not be your cup of tea, it is completely lawful.

And it actually gets even worse, because with respect to deepfakes, the Online Harms Act turns on whether the actual communication itself may have been without consent, not the creation of the image. Setting aside for a moment that a fictional person can never consent and can ever withhold consent, an example immediately comes to mind drawn directly from Canada's history of bad legislation related to technology and online mischief.

People may recall that a number of years ago, Nova Scotia passed a law called the Cyber-safety Act which was intended to address online bullying. It was so poorly drafted that it was ultimately found to be unconstitutional and thrown out.

During the time when that law was actually enforced, we had an incident in Nova Scotia where two young people discovered that their member of the legislature had previously had a career as an actor. As part of that career, she appeared in a cable television series that was actually quite popular and in at least a couple scenes, she appeared without her top on. These foolish young men decided to take a picture from the internet, and there were hundreds of them to choose from, and tweets it. What happened next? This politician got very mad and contacted the Nova Scotia cyber cops, who threatened the young man with all sorts of significant consequences.

That image, which was taken in a Hollywood studio, presumably after the actor had signed the usual releases, would potentially fit into this category of harmful content if it were tweeted after the Online Harms Act comes into effect because someone reviewing it on behalf of a platform after it had been flagged would have no idea where the image came from. And if anyone says it’s non-consensual, that’s enough to create reasonable suspicion. One relatively explicit scene actually looks like it was taken with a hidden camera.

Surely, it cannot be the intention of the minister of Justice to regulate that sort of thing. In some ways, it doesn't matter because it would likely be found to be a violation of our freedom of expression, right under section 2B of the charter rights and freedoms, which cannot be justified under section 1 of the charter.

But wait, it gets worse. With respect to the two special categories of harmful content, operators of social media services have an obligation to put in place a flagging mechanism so that objectionable content can be flagged by users. If there are reasonable grounds to believe that the content that has been flagged fits into one of those two categories, they must remove it. Reasonable grounds to believe is also a very low standard. But when you combine the two, the standard is so low that it is in the basement. Reasonable grounds to believe that there are reasonable grounds to suspect is such a low standard that it is probably unintelligible.

Deep fake images are a real, real problem. When a sexually explicit, but synthetic image of a real person is created, it has significant impacts on the victim. If they were doing anything other than window dressing, they would have paid very close attention to the critical definitions and how it is handled. But they have created a scheme in which anything that it's explicit could fit into this category by anybody, rendering the whole thing liable to be thrown out as a violation of the charter, thereby further victimizing vulnerable victims. Victims. And if they had gotten the definition right, which they clearly did not, little code because the harm associated with the dissemination of explicit deep fakes is similar to the harm associated with the already criminalized non-consensual distribution of actual intimate images.

It actually gets even worse, because the digital safety commissioner can get involved and they can order the removal of contents. The removal of content is again based on simple, reasonable grounds to believe that the material is within that category, which again only requires a reasonable ground to suspect a lack of consent. This is a government actor ordering the removal of expressive contents that unquestionably engages the freedom of expression right. Where you have a definition that is so broad that it can include content that does not post any risk of harm to any individual, that definition cannot be upheld as Charter compliant.

Flagging process

If a user flags content as either sexually victimizing a child or as intimate content communicated without consent, the operator has to review it within 24 hours. The operator can only dismiss the flag if it’s trivial, frivolous, vexatious or made in bad faith; or has already been dealt with. If not dismissed, they MUST block it and make it inaccessible to people in Canada. If they block it – which is clearly the default – they have to give notice to the person who posted it and to the flagger, and give them an opportunity to make representations. What this timeline is will be in the regulations. Based on those representations, the operator must decide whether there are reasonable grounds to believe the content is that type of harmful content, and if so, they have to make it inaccessible to persons in Canada. Section 68(4) says they’d have to continue to make it inaccessible to all persons in Canada, which suggests to me they have to have a mechanism to make sure it is not reposted. There is a reconsideration process, which is largely a repeat of the original flag and review process.

One thing that I find puzzling is that this mechanism is mandatory and does not seem to permit the platform operator from doing their usual thing, which is to review material posted on their platform and simply removing it if they are of the view that it violates their platform policies. If it is clearly imagery that depicts child sexual abuse, they should be able to remove it without notice or involving the original poster.

Information grab

Each regulated operator has to submit a “digital safety plan” to the Digital Safety Commissioner. The contents of this are enormous. It’s a full report on everything the operator does to comply with the Act, and also includes information on all the measures used to protect children, preventing harmful content, statistics about flags and takedowns (broken down by category of content), resources allocated by the operator to comply, and information respecting content, other than “harmful content”, that was moderated by the operator and that the operator had reasonable grounds to believe posed a “risk of significant psychological or physical harm.” But that’s not all … it also includes information about complaints, concerns heard and any research the operator has done related to safety on their platform. And, of course, “any other information provided for by regulations.” And most of this also has to be published on the operator’s platform.

Researchers’ information grab

The Commission can accredit people (other than individuals) to access electronic data in digital safety plans. These people must be conducting research, education, advocacy, or awareness activities related to the purposes of the act. The Commission can grant access to these inventories and suspend or revoke accreditation if the person doesn't comply with the conditions. Accredited people can also request access to electronic data in digital safety plans from regulated service operators and the Commission can order that the operator provide the data. However, this access is only allowed for research projects related to the act's purposes.

This is another area where the parameters, which are hugely important, will be left to the regulations. There’s no explicit requirement that the accredited researcher have their research approved by a Canadian research ethics board. It’s all left to the regulations.

We need to remember that “Cambridge Analytica” got their data from a person who purported to be an academic researcher.

If the operator of a regulated service affected by an order requests it, the Commission may consider changing or canceling the order. The Commission may do so if it finds, according to the criteria in the regulations, that the operator can't comply with the order or that doing so would cause the operator undue hardship. An accredited person who requested an order may complain to the Commission if the operator subject to the order fails to comply. The Commission must give the operator a chance to make representations.

Finally, the Commission may publish a list of accredited people and a description of the research projects for which the Commission has made an order.

Submissions from the public

The Act contains a mechanism by which any person in Canada may make a submission to the Commission respecting harmful content that is accessible on a regulated service or the measures taken by the operator of a regulated service to comply with the operator’s duties under the Act. The Commission can provide information about the submission to the relevant operator and there are particular provisions to protect the identity of any employees of an operator that make a submission to the Commission.

Complaints to the Commission

The real enforcement powers of the Commission come into play in Part 6 of the Act. Any person in Canada may make a complaint to the Commission that content on a regulated service is content that sexually victimizes a child or revictimizes a survivor or is intimate content communicated without consent. These are the particularly acute categories of deemed “harmful content.”

The Commission has to conduct an initial assessment of the complaint and dismiss it if the Commission is of the opinion that it is trivial, frivolous, vexatious or made in bad faith; or has otherwise been dealt with.

If the complaint is not dismissed, the Commission must (not may) give notice of the complaint to the operator and make an order requiring the operator to, without delay, make the content inaccessible to all persons in Canada and to continue to make it inaccessible until the Commission gives notice to the operator of its final decision. This is an immediate takedown order without any substantial consideration of the merits of the complaint. All they need is a non-trivial complaint. I don’t mind an immediate takedown if one reasonably suspects the content is child sexual abuse material, but the categories are broader than that.

The operator must ask the user who posted the content on the service whether they consent to their contact information being provided to the Commission. If the user consents, the operator must provide the contact information to the Commission.

“Hey, you’re being accused of posting illegal content on the internet, do you want us to give your information to the Canadian government?”

The Commission must give the complainant and the user who communicated the content on the service an opportunity to make representations as to whether the content is content that fits into those categories of harmful content.

Now here is where the rubber hits the road: The Commission must decide whether there are “reasonable grounds to believe” that the content fits into those categories. In a criminal court, the court would have to consider whether the content fits the definition, beyond a reasonable doubt. In a civil court, the court would have to consider whether the content fits the definition, on a balance of probabilities. Here, all the Commission needs to conclude is whether there are “reasonable grounds to believe.” If they do, they issue an order that it be made permanently inaccessible to all persons in Canada.

That is a dramatically low bar for permanent removal. Again, I’m not concerned about it being used with material that is child abuse imagery or is even reasonably suspected to be. But there is a very strong likelihood that this will capture content that really is not intimate content communicated without consent. Recall the definition, and the use of “reasonable to suspect”:

intimate content communicated without consent means

(i) the person had a reasonable expectation of privacy at the time of the recording, and

(ii) the person does not consent to the recording being communicated; and

To order a permanent takedown, the Commission just needs to conclude there are reasonable grounds to believe that it is “reasonable to suspect” a lack of consent. There’s no requirement for the complainant to say “that’s me and I did not consent to that.” Unless you know the full context and background of the image or video, and know positively that there WAS consent, there will almost always be grounds to suspect that there wasn’t. And remember that the deepfake provision doesn’t specifically require that it be an actual living person depicted. It could be a complete figment of a computer’s imagination, which is otherwise entirely lawful under Canadian law. But it would still be ordered to be taken down.

The Commission’s vast powers

The Commission has vast, vast powers. They’re breathtaking, actually. These are set out in Part 7 of the Act. Here’s part of these powers:

86 In ensuring an operator’s compliance with this Act or investigating a complaint made under subsection 81(1), the Commission may, in accordance with any rules made under subsection 20(1),

(a) summon and enforce the appearance of persons before the Commission and compel them to give oral or written evidence on oath and to produce any documents or other things that the Commission considers necessary, in the same manner and to the same extent as a superior court of record;

(b) administer oaths;

(c) receive and accept any evidence or other information, whether on oath, by affidavit or otherwise, that the Commission sees fit, whether or not it would be admissible in a court of law; and

(d) decide any procedural or evidentiary question.

And check out these “Rules of evidence” (or absence of rules of evidence) for the Commission:

87 The Commission is not bound by any legal or technical rules of evidence. It must deal with all matters that come before it as informally and expeditiously as the circumstances and considerations of fairness and natural justice permit.

If the Commissioner holds a hearing – which is entirely in its discretion to determine when a hearing is appropriate – it must be held in public unless it isn’t. There’s a laundry list of reasons why it can decide to close all or part of a hearing to the public.

I don’t expect we’ll see hearings for many individual complaints.

Inspectors

The next part is staggering. In section 90, the Commission can designate “inspectors” who get a “certificate of designation”. Their powers are set out in section 91. Without a warrant and without notice, an inspector can enter any place in which they have reasonable grounds to believe that there is any document, information or other thing relevant to that purpose. Once they’re in the business, they can

(a) examine any document or information that is found in the place, copy it in whole or in part and take it for examination or copying;

(b) examine any other thing that is found in the place and take it for examination;

(c) use or cause to be used any computer system at the place to examine any document or information that is found in the place;

(d) reproduce any document or information or cause it to be reproduced and take it for examination or copying; and

(e) use or cause to be used any copying equipment or means of telecommunication at the place to make copies of or transmit any document or information.

They can force any person in charge of the place to assist them and provide documents, information and any other thing. And they can bring anybody else they think is necessary to help them exercise their powers or perform their duties and functions.

There’s also a standalone requirement to provide information or access to an inspector:

93 An inspector may, for a purpose related to verifying compliance or preventing non-compliance with this Act, require any person who is in possession of a document or information that the inspector considers necessary for that purpose to provide the document or information to the inspector or provide the inspector with access to the document or information, in the form and manner and within the time specified by the inspector.

Holy crap. Again, no court order, no warrant, no limit, no oversight.

It’s worth noting that most social media companies don’t operate out of Canada and international law would prevent an inspector from, for example, going to California and inspecting the premises of a company there.

Compliance orders

The Act grants the Commission staggeringly broad powers to issue “Compliance orders”. All these orders need is “reasonable grounds to believe”. There’s no opportunity for an operator to hear the concerns, make submissions and respond. And what can be ordered is virtually unlimited. There is no due process, no oversight, no appeal of the order and the penalty for contravening such an order is enormous. It’s up to the greater of $25 million or 8% of the operator’s global revenue. If you use Facebook’s 2023 global revenue, that ceiling is $15 BILLION dollars.

94 (1) If the Commission has reasonable grounds to believe that an operator is contravening or has contravened this Act, it may make an order requiring the operator to take, or refrain from taking, any measure to ensure compliance with this Act.

This is a breathtaking power, without due process, without a hearing, without evidence and only on a “reasonable grounds to believe”. And what can be ordered is massively open-ended.

You may note that section 124 of the Act says that nobody can be imprisoned in default of payment of a fine under the Act. The reason for this is to avoid due process. Under our laws, if there’s a possibility of imprisonment, there is a requirement for higher due process and procedural fairness. It’s an explicit decision made, in my view, to get away with a lower level of due process.

Who pays for all this?

The Act makes the regulated operators pay to fund the costs of the Digital Safety Commission, Ombudsperson, and Office. Certainly it has some good optics that the cost of this new bureaucracy will not be paid from the public purse, but I expect that any regulated operator will be doing some math. If the cost of compliance and the direct cost of this “Digital Safety Tax” is sufficiently large, they may think again about whether to continue to provide services in Canada. We saw with the Online News Act that Meta decided the cost of carrying links to news was greater than the benefit they obtained by doing so, and then rationally decided to no longer permit news links in Canada.

Amendments to the Criminal Code and the Canada Human Rights Act

Finally, I agree with other commentators in reaching the conclusion that bolting on amendments to the Criminal Code and the Canada Human Rights Act was a huge mistake and will imperil any meaningful discussion of online safety. Once again, the government royally screwed up by including too much in one bill.

The bill makes significant additions to the Criminal Code. Hate propaganda offenses carry harsher penalties. The bill defines "hatred" (in line with Supreme Court of Canada jurisprudence) and creates a new hate crime: "offense motivated by hatred."

Moreover, Bill C-63 amends the Canadian Human Rights Act. It adds "communication of hate speech" through the Internet or similar channels as discriminatory practice. These amendments give individuals the right to file complaints with the Canadian Human Rights Commission which, in turn, can impose penalties of up to $20,000. However, these changes concern user-to-user communication, not social media platforms, broadcast undertakings, or telecommunication service providers.

Bill C-63 further introduces amendments related to the mandatory reporting of child sexual abuse materials. They clarify the definition of "Internet service" to include access, hosting, and interpersonal communication like email. Any person providing an Internet service to the public must send all notifications to a designated law enforcement body. Additionally, the preservation period for data related to an offense is extended.

Conclusion

All in all, it is not as bad as I expected it to be. But it is not without its serious problems. Given that the discussion paper from a number of years ago was a potential disaster and much of that has been improved via the consultation process, I have some hope that the government will listen to those who want to – in good faith – improve the bill. That may be a faint hope, but unless it’s improved, it will likely be substantially struck down as unconstitutional

Canadian Bill S-210 proposes age verification for internet users

2024-02-05T11:05:00.006-04:00

There’s a bill working its way through the Parliament that presents a clear and present danger to the free and open internet, to freedom of expression and to privacy online. It’s a private member’s bill that shockingly has gotten traction.

You may have heard of it, thanks to Professor Michael Geist, who has called the Bill “the Most Dangerous Canadian Internet Bill You’ve Never Heard Of.”

In a nutshell, it will require any website on the entire global internet that makes sexually explicit material available to verify the age of anyone who wants access, to ensure that they are not under the age of eighteen. Keeping sexually explicit material away from kids sounds like a laudable goal and one that most people can get behind.

The devil, as they say, is in the details. It presents a real risk to privacy, a real risk to freedom of expression and a real danger to the open internet in Canada. The author of the Bill says it does none of that, but I believe she is mistaken.

The bill was introduced in the Senate of Canada in November 2021 by Senator Julie Miville-Dechêne. She is an independent senator, appointed by Prime Minister Justin Trudeau in 2018. Much of her career was as a journalist, which makes her obliviousness of the freedom of expression impact of her bill puzzling. I don’t think she’s acting in bad faith, but I think she’s mistaken about the scope and effect of her Bill.

In 2022, the Bill was considered by the Senate Standing Committee on Legal and Constitutional Affairs. That Committee reported it back to the Senate in November 2022, and it languished until it passed third reading in April 2023 and was referred to the House of Commons. Many people were surprised when the House voted in December 2023 to send it for consideration before the Standing Committee on Public Safety and National Security. Every Conservative, Block and NDP member present voted in favour of this, while most Liberals voted against it. Suddenly, the Bill had traction and what appeared to be broad support among the opposition parties.

So what does the bill do and why is it problematic? Let’s go through it clause by clause.

The main part of it – the prohibition and the offence – is contained in section 5. It creates an offence of “making available” “sexually explicit material” on the Internet to a young person. This incorporates some defined terms, from section 2.

Making sexually explicit material available to a young person
5 Any organization that, for commercial purposes, makes available sexually explicit material on the Internet to a young person is guilty of an offence punishable on summary conviction and is liable,

(a) for a first offence, to a fine of not more than $250,000; and
(b) for a second or subsequent offence, to a fine of not more than $500,000.

“Making available” is incredibly broad. When a definition says “”includes”, it means that it can mean more than the terms that follow. “Transmitting” is a very, very broad term. Is that intended to cover the people who operate the facilities over which porn is transmitted? It is very broad.

A “young person” is a person under the age of 18. That’s pretty clear.

The definition of “sexually explicit material” is taken from the Criminal Code. It should be noted that this definition was created and put in the Criminal Code for a particular purpose. This is not a catch-all offence that makes it illegal to make sexually explicit material available to a young person. This is an element of an offence, where the purpose of providing this material to a young person is to facilitate another offence against a young person. Essentially, grooming a young person.

Definition of sexually explicit material
(5) In subsection (1), sexually explicit material means material that is not child pornography, as defined in subsection 163.1(1), and that is
(a) a photographic, film, video or other visual representation, whether or not it was made by electronic or mechanical means,

(i) that shows a person who is engaged in or is depicted as engaged in explicit sexual activity, or
(ii) the dominant characteristic of which is the depiction, for a sexual purpose, of a person’s genital organs or anal region or, if the person is female, her breasts;

(b) written material whose dominant characteristic is the description, for a sexual purpose, of explicit sexual activity with a person; or
(c) an audio recording whose dominant characteristic is the description, presentation or representation, for a sexual purpose, of explicit sexual activity with a person.

To be clear, it is not a crime to make this sort of material available to a young person unless you’re planning further harm to the young person.

Let’s look at what is included in this definition. Visual, written or audio depictions of explicit activity. And visual depictions of certain body parts or areas, if it’s done for a sexual purpose.

In paragraph 5(a)(i), it does not say that the depiction has to be explicit. It says the activity in which a person is engaged is explicit.

Let’s take a moment and let this sink in. This is not limited to porn sites.

This sort of material is broadcast on cable TV. It’s certainly available in adult book stores (which specialize in certain types of publications), but it’s also available in general book stores. This sort of material is available in every large library in Canada.

This definition would include educational materials.

This definition is so broad that it covers wikipedia articles related to art, reproduction and sexual health.

It is certainly not limited to materials that would cause a reasoned risk of harm to a young person. And it doesn’t take any account of the different maturity levels of young people. The sex ed curriculum is very different for 14 year olds, 16 year olds and 18 year olds.

Section 6 is where the government mandated age verification technology comes in. Essentially, you can’t say that you thought you were only providing access to the defined material to adults. You have to implement a government prescribed age verification method to ensure that the people getting access are not under 18. That’s essentially the only due diligence defence. We’ll talk about government prescribed age verification methods shortly.

There’s another defence, which is “legitimate purpose”.

No organization shall be convicted of an offence under section 5 if the act that is alleged to constitute the offence has a “legitimate purpose related to science, medicine, education or the arts.” Maybe that will be interpreted broadly so that wikipedia articles related to art, reproduction and sexual health are not included. But it’s a defence, so it has to be raised after the person is charged. The onus is on the accused to raise it, not on the prosecution to take it into account at the time of laying a charge.

There’s also a defence that’s available if the organization gets a “Section 8” notice and complies with it. “What the heck are those?” you may ask. The bill has an “enforcement authority”, who I’m afraid will be the CRTC.

If they have reasonable grounds to believe that an organization committed an offence under section 5 (by allowing young people to access explicit materials), the enforcement authority may issue a notice to them under this section.

The notice names the organization, tells them they have reasonable grounds to believe they are violating the Act – but does not have to tell them the evidence of this. And they essentially get to order the organization to take “steps that the enforcement authority considers necessary to ensure compliance with this Act”. It doesn’t say “THAT ARE NECESSARY”, but what the enforcement authority thinks is necessary.

So the organization has twenty days to do all the things specified in the notice. They do get to make representations to the enforcement authority, but that doesn’t stop the clock. The 20 days keeps ticking.

Here’s where the rubber hits the road.

The “enforcement authority”, if they are not satisfied that the organization has taken the steps that the enforcement authority deems to be necessary, the enforcement authority gets to go to the Federal Court to get an order essentially blocking the site. Specifically, it says: “for an order requiring Internet service providers to prevent access to the sexually explicit material to young persons on the Internet in Canada.”

Any Internet service provider who would be subject to the order would be named as a respondent to the proceedings, and presumably can make submissions. But I can only think of one or two internet service providers who would do anything other than consent to the order, while privately cheering.

Take a look at this section, which sets the criteria for the issuance of an order.

(4) The Federal Court must order any respondent Internet service providers to prevent access to the sexually explicit material to young persons on the Internet in Canada if it determines that

(a) there are reasonable grounds to believe that the organization that has been given notice under subsection 8(1) has committed the offence referred to in section 5;
(b) that organization has failed to take the steps referred to in paragraph 8(2)‍(c) within the period set out in paragraph 8(2)‍(d); and
(c) the services provided by the Internet service providers who would be subject to the order may be used, in Canada, to access the sexually explicit material made available by that organization.

It says the Court MUST issue the order – not MAY, but MUST, if there are reasonable grounds to believe that the organization committed the offence under the Act. It doesn’t require proof beyond a reasonable doubt, it doesn’t even require proof by a civil standard (being on a balance of probabilities or more likely than not), and it doesn’t even require actual belief based on evidence that an offence was committed. It requires only “reasonable grounds to believe.”

And it requires them to have not taken all the steps dictated by the enforcement authority within the extremely brief period of twenty days.

Finally, the order MUST issue if the court determines “the services provided by the Internet service providers who would be subject to the order MAY be used, in Canada, to access the sexually explicit material made available by that organization”.

That is a really, really low bar for taking a site off the Canadian internet.

But wait – there’s more!

The act specifically authorizes wide-ranging orders that would have the effect of blocking material that is not explicit and barring adult Canadians from seeking access to that same explicit material.

And if you look at the first sentence of subsection 5, it says “if the federal court determines that it is necessary to ensure that the sexually explicit material is not made available to young persons on the internet in Canada" it doesn't say anything about limiting the continuation of the offense or even tying it to the alleged offense set out in the notice. This is really poorly drafted and constructed.

Effect of order
(5) If the Federal Court determines that it is necessary to ensure that the sexually explicit material is not made available to young persons on the Internet in Canada, an order made under subsection (4) may have the effect of preventing persons in Canada from being able to access

(a) material other than sexually explicit material made available by the organization that has been given notice under subsection 8(1); or
(b) sexually explicit material made available by the organization that has been given notice under subsection 8(1) even if the person seeking to access the material is not a young person.

So, as we’ve seen, all of this hinges on companies verifying the age of users before allowing access to explicit material and the only substantial defence to the offence set out in the act is to use a government-dictated and approved “age verification method.”

We need to remember, adult Canadians have an unquestioned right to access just about whatever they want, including explicit material.

The criteria for approving an age verification method may be the only bright spot in this otherwise dim Act. And it’s only somewhat bright.

Before prescribing an age-verification method, the government has a long list of things they have to consider.

Specifically, the Governor in Council must consider whether the method

(a) is reliable;
(b) maintains user privacy and protects user personal information;
(c) collects and uses personal information solely for age-verification purposes, except to the extent required by law;
(d) destroys any personal information collected for age-verification purposes once the verification is completed; and
(e) generally complies with best practices in the fields of age verification and privacy protection.

They just have to consider these. They’re not “must haves”, but good to haves. And there’s no obligation on the part of the government to seek input from the Privacy Commissioner.

So what’s the current state of age verification? It’s not uncommon to require a credit card, under the assumption that a person with a valid credit card is likely an adult. I’m not sure that’s the case any more and it may not be reliable.

There’s also ID verification, often coupled with biometrics. You take a photo of your government-issued ID, take a selfie, and software reads the ID, confirms you’re over 18 and compares the photo on the ID to the photo you’ve taken. That involves collecting personal information from your ID, which very likely includes way more information than is necessary to confirm your age. It involves collecting your image, and it involves collecting and using the biometrics from your selfie and your ID.

Do you really want to provide your detailed personal information, that could readily be used for identity theft or fraud, to a porn site? Or a third party “age verification service”?

One scheme was proposed in the UK a number of years ago, in which you would go to a brick and mortar establishment like a pub or a post office, show your ID and be given a random looking code. That code would confirm that someone reliable checked your ID and determined you were of age. Of course, this becomes a persistent identifier that can be used to trace your steps across the internet. And I can imagine a black market in ID codes emerging pretty quickly.

And there are some important things missing. For example, is it universally applicable? Not everyone has government-issued ID. Some systems rely on having a valid credit card. Not everyone has one, let alone a bank account.

The Bill’s sponsor and supporters say “smart people will come up with something” that is reliable and protects privacy. Why don’t we wait until we have that before considering passing a bill like this?

Let’s game this out with a hypothetical. Imagine, if you will, a massive online encyclopedia. It has thousands upon thousands – maybe millions – of articles, authored by thousands of volunteers. They cover the full range of subjects known to humanity, which of course includes reproduction and sexual health. A very small subset of the content they host and that their volunteers have created would fit into the category of “sexually explicit material”, but it is there, it exists and it is not age-gated.

The operators of this encyclopedia very reasonably take the view that their mission is educational and they’re entitled to the protection of the legitimate purpose defence that is supposed to protect “science, medicine, education or the arts”.

They also take the view that providing access to their educational material in Canada is protected by the Charter of Rights and Freedoms. And they also reasonably take the view that the Charter protects the rights of Canadians to access the content they produce.

But one day, a busy-body complains to the CRTC’s porn force that this online encyclopedia contains material that may be sexually explicit. The captain of the porn force drafts up a notice under Section 8, telling them that they must make sure that only people who have confirmed their age of majority via a government approved age verification technique can get access to explicit content.

The encyclopedia writes back and says “please let us know what is your criteria for judging whether something is published ‘for a sexual purpose’, as required in many parts of the definition.” Also, they say, their purpose is entirely educational, so they have a legitimate purpose. And they also mention the Charter. Meanwhile, 20 days pass by.

So the porn force makes an application in the Federal Court and serves notice on all the major internet service providers. None of the internet service providers show up at the hearing. The publishers of the encyclopedia hire a really good Canadian internet lawyer, who tells the court that the encyclopedia’s purpose is legitimate and related to education. And they’re likely not engaged in “commercial activity”. And cutting off access to the encyclopedia would be unconstitutional as a violation of the Canadian Charter of Rights and Freedoms.

The government lawyer, on behalf of the porn force, points to section 9(4) and says the court has no discretion to NOT issue the order if there are reasonable grounds to believe an offence has been committed and they didn’t follow the dictates set out in the Section 8 notice.

Even with the encyclopedia's information about their purposes, the bar of “reasonable grounds to believe” is so low that paragraph (a) is met. Since the encyclopedia didn’t follow the Section 8 order because they were sure they had a defence to the charge, paragraph (b) is met. And an order to all Canadian ISPs to block access to the encyclopedia would have the effect set out in paragraph (c).

Slam dunk. The Court must issue that order. But what about the fact that it would have the effect of cutting ALL Canadians off from the 99.999% of the site’s content that are not explicit? Tough. Paragraph (5) of Section 9 says that’s ok. No encyclopedia for you!

A Charter challenge would then be raised, and the whole thing would likely be declared unconstitutional as a violation of section 2(b) of the Charter that can’t be justified by section 1.

In short – even if you think this Bill is well intentioned – it is heavy handed, poorly constructed, doesn’t take freedom of expression into account and imagines that we can manufacture some magical fairy dust technology that will make the obvious privacy issues disappear. In short, it is a blunt instrument that imagines it’ll fix the problem.

And I should note that it will likely also have the effect of hurting older children who haven’t yet hit eighteen. The internet, its many communities and information repositories, are all critical for young people seeking legitimate information related to sexual health, sexual orientation and gender identity. Much of this information would fit into the broad definition of sexually explicit material, and it will be illegal for someone to allow them access via the internet. It will remain legal for them to get it in a bookstore or a library, but that’s not how young people generally access information in 2024.

I expect some supporters of this bill will be more than happy to see it limit Canadians’ right to access lawful material.

It’s good to see a discussion of this important issue. Even if you’re in favour of the objectives of this Bill, it is deeply, deeply problematic. It should be parked until there’s a way to deal with this issue without potentially violating the privacy rights and Charter rights of Canadians.