SCC issues decision lending weight to litigation privilege

28 Nov

On Friday, the Supreme Court of Canada held that a legislative provision cannot abrogate litigation privilege unless it does so with clear, explicit and unequivocal language. 

This principle was established for solicitor-client privilege by the Court in its Blood Tribe decision of 2008. It now extends to litigation privilege.

The Court also used Friday’s decision to establish litigation privilege as a “fundamental principle of the administration of justice.” It affirmed:

  • litigation privilege is a class privilege, entailing a presumption of immunity from disclosure once the conditions for its application have been met;
  • litigation privilege is only subject to clearly defined exceptions and not to a case-by-case balancing exercise; and
  • litigation privilege can be asserted against third parties, including third parties who have a duty of confidentiality.

Litigation privilege retains its status as a kind of junior privilege to the almighty solicitor-client privilege. According to the Court, however, litigation privilege is an important, class privilege that behaves like a class privilege. Arguments that litigation privilege must give way to the truth seeking function because of the circumstances will now ordinarily fail. 

Lizotte v. Aviva Insurance Company of Canada, 2016 SCC 52 (CanLII).

SCC deals blow to privacy commissioner powers – privilege reigns supreme

28 Nov

Yesterday the Supreme Court of Canada issued a decision in which it held that the Information and Privacy Commissioner of Alberta does not have the power to compel the production of documents over which solicitor-client privilege is claimed in conducting an access inquiry under Alberta’s public sector access and privacy statute. 

The case – which arose out of an access request made to the University of Calgary – is a sequel to the 2008 Blood Tribe Department of Health case in which the Supreme Court of Canada made a similar finding regarding the Office of the Privacy Commissioner of Canada’s powers under the Personal Information Protection and Electronic Documents Act. Blood Tribe established that solicitor-client privilege cannot be abrogated by statutory language that is any less than “clear, explicit and unequivocal.” PIPEDA, however, is a unique statute. It establishes the OPC as an ombudsperson and not in adjudicator, and the power to produce that the OPC relied upon in Blood Tribe was drafted in the most general terms. Accordingly, Blood Tribe left a question about the powers of other privacy commissioners under more traditional statutes.

That question is now answered.

The Alberta Freedom of Information and Protection of Privacy Act gives the Alberta Commissioner the power to order production despite “any privilege of the law of evidence.” This phrase appears in a number of other public sector access and privacy statutes as does the similar phrase “any privilege under the law of evidence.” Ten privacy and access authorities therefore intervened in the University of Calgary case to argue in support of their mandates.

Nonetheless, a five judge majority held that the language of Alberta FIPPA is not clear enough to override solicitor-client privilege. The majority took pains to root its analysis in statutory interpretation principles, but its finding is best understood as reflecting a near absolute dedication to the supremacy of solicitor-client privilege. The majority also viewed the Alberta Commissioner as something less than an impartial adjudicator, alluding to the tradition by which information commissioners often act as parties in reviews of their own orders.

We must be careful in drawing broad conclusions about a finding under a particular access and privacy statute, but this decision will have a ripple effect. Commissioners across Canada may adjust their protocols for dealing with solicitor-client privilege claims and may lobby for statutory amendments. University of Calgary is a good news decision for institutions given the burden of arguing solicitor-client privilege claims on a record-by-record basis.

Alberta (Information and Privacy Commissioner) v. University of Calgary, 2016 SCC 53 (CanLII).

SCC says PIPEDA does not constrain a court’s procedural power

19 Nov

The Supreme Court of Canada decided the case of RBC v Trang this week. It held that the Personal Information Protection and Electronic Documents Act does not limit the procedural powers of a court. If a court, based on analysis that is not at all governed by PIPEDA, decides that an order to disclose personal information is warranted, it may issue the order. The order may be complied with notwithstanding PIPEDA.

Here is the ratio in Trang:

As a result of s. 7(3) , PIPEDA does not diminish the powers courts have to make orders, and does not interfere with rules of court relating to the production of records. In addition, PIPEDA does not interfere with disclosure that is for the purpose of collecting a debt owed by the individual to an organization, or disclosure that is required by law. In other words, the intention behind s. 7(3) is to ensure that legally required disclosures are not affected by PIPEDA.

All is right in the world again after the Ontario courts got quite twisted up on a very fundamental question about PIPEDA’s impact on the civil justice system.

The Court also held that debtors implicitly consent to the disclosure of mortgage status information (current balance) to judgement creditors who are seeking to recover a debt. This creates an opportunity for banks to assist judgement creditors without requiring them to obtain a court order. (Might the Court have had the burden of pro forma motions in mind?)

More generally, the Court supported a very flexible, fully-contextual implicit consent standard. This arguably erodes privacy protection and invites uncertainty, but also allows for just and sensible outcomes despite a consent rule in PIPEDA that is otherwise quite strict. Of course, this will feed the current dialogue about whether consent is a meaningful principle by which to govern the protection of personal privacy.

Royal Bank of Canada v. Trang, 2016 SCC 50 (CanLII).

First CASL decision invites long-desired feeling of normality

29 Oct

Canada’s Anti-Spam Legislation is relatively new, onerous and far from elegant. Organizations have been weighing the risks the best they can – and in doing so have puzzled over how to account for CASL’s provision for penalties of up to $10 million.

On October 26th, the CRTC issued a decision in which it held that a company breached the consent requirement in CASL by sending approximately 385,000 unsolicited e-mails to government employees. As a result, it ordered an administrative monetary penalty of $50,000. Most significantly, the CRTC’s decision includes following comment about the significance of CASL’s significant maximum penalty:

The potential for higher penalties provides the Commission and the designated person with a means to recognize and address more egregious non-compliance when it arises, but this does not mean that larger penalties are inherently more appropriate in comparison to regimes with lower maximum penalties. As provided for in the Act, the objective and effect of an AMP must always be to promote compliance, and must not be to punish.

The CRTC considered the size of the company (“small”) and the short duration of the violation (two months) to support a lower penalty. Conversely, it considered the company’s failure to respond to a production order and its failure to change its practices immediately when contacted by investigators as aggravating factors.

The company violated the Act because it could not demonstrate the basis for which it claimed implicit consent to message individuals whose e-mail addresses were “conspicuously published.” In finding a violation, the CRTC said:

The requirement that it be relevant to the recipient’s role or functions creates the condition that the address be published in such a manner that it is reasonable to infer consent to receive the type of message sent, in the circumstances… Paragraph 10(9)(b) of the Act does not provide persons sending commercial electronic messages with a broad licence to contact any electronic address they find online; rather, it provides for circumstances in which consent can be implied by such publication, to be evaluated on a case-by-case basis.

Harvesting addresses from the internet for the purpose of business-to-business marketing is permitted but, as this case shows, organizations need a protocol to demonstrate a duly diligent effort to send individuals messages that are relevant to their work.

None of this should come as a surprise, but this welcome decision does invite a long-desire feeling of normality.

Compliance and Enforcement Decision CRTC 2016-428.

 

Two recent privacy and cyber presentations

10 Oct

It’s been a busy last couple months on a number of fronts. Here are a couple of presentations I’ve delivered recently – a privacy updated delivered to the Canadian Association of University Solicitors in beautiful Cape Breton, NS (on outsourcing to the cloud and liability for data loss and misuse) and another to the Ontario Association of Children’s Aid Societies (on the claims context for data loss claims, incident prevention and incident response). Happy thanks giving everyone!

 

Court approves settlement, limits recovery of class counsel fees

15 Sep

On August 29th, Justice Perell of the Ontario Superior Court of Justice approved settlement of an action brought against Home Depot following a significant 2014 payment card system intrusion. The Court approved a settlement that featured a $250,000 non-reversionary settlement fund for documented claims of “compromise” and an agreement to pay up to $250,000 in credit monitoring. It also denied payment of approximately $407,000 in (docketed) legal fees to class counsel as unjustified, approving instead, payment of $120,000 in fees.

This is a good outcome for organizations exposed to potential class action claims for data security incidents. It was driven by two factors: (1) the Court found the incident was associated with a limited risk of damage; and (2) the Court was impressed by Home Depot’s incident response.

Regarding damage, the Court assessed the risk of damage flowing from a compromise to payment card information and e-mail address information as minimal:

[46] Professor Archer outlined three heads of damage to consumers from a payment card breach:  (1) the risk of a fraudulent charge on one’s credit card; (2) the risk of identity theft; and (3) the inconvenience of checking one’s credit card statements. The so-called non-reversionary Settlement Fund of $250,000 is designed to provide compensation for these heads of damages.

[47] Of the three heads of damage, practically speaking, there is little risk of fraudulent charges because of sophisticated safeguards developed by credit card companies. Moreover, when there are frauds, the losses are almost always absorbed by the credit card company or the retailer. The credit card companies are not Class Members.

[48] In the immediate case, there is no evidence that a Class Member absorbed a fraudulent charge. Neither Merchant Law Group nor McPhadden Samac Tuovi LLP have been contacted by a putative Class Member who said that he or she suffered a financial loss attributable to the data breach.

[49] There is also little risk that the data breach, including the disclosure of email addresses, increased the risk of identity theft, because the stolen data would have been inadequate to allow a criminal to fake another’s identity.

[50] Mr. Hamel’s evidence was that for identity theft, the most important information to have is a government-issued identification number such as a driver’s licence number, social insurance number or passport number and preferably all three. In the immediate case, the data stolen from Home Depot did not include this information.

[51] As for inconvenience damages, in the immediate case, there are none, because credit card holders are already obliged to check their statements for fraudulent purchases.

(Note that the Office of the Information and Privacy Commissioner of Alberta has recognized that the loss of e-mail address is associated with a risk of spear phishing – a risk that is arguably remote.)

Regarding incident response, Home Depot had offered to pay for a number of fraud protection services following the incident – including credit monitoring, identity theft insurance and credit repair services. The Court commented that this reduced the need for behavior modification:

[100] The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.

These two factors led the Court to place little value on the action or the settlement. Justice Perell (who is outspoken), commented, “I would have approved a discontinuance of Mr. Lozanski’s proposed class action with or without costs and without any benefits achieved by the putative Class Members.”

Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII).

No privacy breach for reporting what’s on the court’s record

2 Sep

On August 10th, the Ontario Superior Court of Justice dismissed a privacy claim brought against the publishers of The Lawyer’s Weekly for reporting on the plaintiff’s involvement in a small claims court proceeding. The Court adopted the following defendant submission:

Further, recent developments in the common law regarding invasion of privacy have fallen well short of the cause of action asserted by Bresnark. On the facts of this case, there is no ‘intrusion upon seclusion’, nor even any disclosure of ‘private facts’. Indeed, the Article is wholly based on public court proceedings and the facts and findings disclosed on the record in those cases. Therefore, the cause of action asserted in paragraph 4 of the statement of claim should be struck as disclosing no cause of action. It is plain and obvious that it has no chance of success.

The Court also dismissed a defamation claim as statute-barred.

Bresnark v Thomson Reuters Canada Limited, 2016 ONSC 5105 (CanLII).