Automobile accident litigation, privacy and bad tactics

Lee Akazaki of Gilbertson Davis has written a fascinating article in the most recent Advocates’ Quarterly (vol 50) about a privacy-related development that he argues is interfering with the just and expeditious handling of no-fault motor vehicle claims in Ontario.

Mr. Akazaki explains that plaintiff counsel are using privacy claims to frustrate the mandatory independent medical examinations required by section 44 of the Statutory Accident Benefit Schedule:

In about 2016, assessors began to receive cryptic letters from the clients of lawyers retained to advance injury claims. The letters invariably followed a template containing a client’s name, the lawyer’s office address, and the client’s signature. Written in “legalese,” the letters demanded that s. 44 assessors account directly to the claimant for various documents and procedures in the IME process. The letters stated the recipients were not to disclose the requests to insurers or other parties, thus leaving assessors worried that reprisals would follow if they alerted insures or their agents. They also demanded responses within 30 days, failing which the assessor was liable to face a complaint to the Office of the Privacy Commissioner (OPC) under the Canadian federal Personal Information Protection and Electronic Documents Act (PIPEDA). The letters exploited ostensible conflicts among health care standards, privacy litigation and SABS.

This is shocking, especially given PIPEDA does not apply.  On this point I agree with Mr. Akazaki, though my reasoning differs. This is entirely analogous to the State Farm case, in which the Federal Court held that the gathering of evidence to resolve a civil dispute in a province was not subject to PIPEDA because it is not, in its essence “commercial activity.” It is unlike Wyndowe, an earlier case in which the Federal Court held that an independent medical examination under a disability insurance contract was subject to PIPEDA.

Mr. Akazaki argues that Wyndowe is distinct because the SABS regime (unlike typical contractual examination rights under disability insurance contracts) treats the (provisional) denial of benefits as a condition precedent to an examination. Okay, but I think the point of distinction is likely more fundamental. It strikes me – and I am not an insurance lawyer! – that the SABS regime is a public regime for resolving civil disputes in the province and is, in part at least, a means of keeping litigation out of court. It’s the public character of the SABS dispute resolution regime that ought to provide it with a form of immunization from PIPEDA. It’s what makes the “primary characterization of the activity” (to use the State Farm test words) something other than commercial.

And a word to the wise, never assume that a privacy statute applies. Application issues abound, and litigating them is where all the fun is at!

Canadian data commissioners have their say on political ad targeting… and more

On November 26th, the Office of the Privacy Commissioner of Canada (the OPC) and the Office of the Information and Privacy Commissioner of British Columbia (the OIPC) jointly held that online marketing company AggregateIQ Data Services breached Canadian privacy law in providing services that supported online targeted political advertising for two campaigns said to be instrumental to the 2016 “Brexit” referendum.

AggregateIQ is a small BC company that provided services to SCL Elections, the UK domiciled parent of Cambridge Analytica – infamous for harvesting data from millions of Facebook users without consent. The joint report is quite vague about whether AggregateIQ used the Cambridge Analytica contraband, and AggregateIQ denies it.

The central finding in the joint report is that information about one’s “political leanings or affiliations” is “sensitive” personal information. Accordingly, the commissioners said, authorization given by an individual to communicate via e-mail was not sufficient to authorize micro-targeting via Facebook (and its “custom audiences” service). They explained:

AIQ asserted that Facebook is simply another way of communicating with individuals, not materially different from email. We respectfully disagree. In our view, an individual who had initially provided their email address for purposes of being kept “up to date” or providing “opportunities to engage” with a campaign may expect to be contacted via email. They would not expect their email address to be used and disclosed to a social media company for advertising on their platform or any other unknown purposes… Accordingly, AIQ had the responsibility, under PIPA and PIPEDA, to ensure that it was relying on express consent for the work it was performing on behalf of Vote Leave.

This finding is about political ad targeting, a problem of great societal importance but of minimal relevance to most organizations. The report also includes two findings of broad relevance.

First, the fact the commissioners took jurisdiction over a matter involving service provided to a foreign political party is is important. The commissioners explained:

To be clear, we are not finding, in this section or below, that AIQ’s foreign clients were required to comply with Canadian and BC privacy laws. The practices of those political organizations would generally fall outside the scope of PIPA and PIPEDA, and in any event, were not the subject of this investigation. That said, to the extent that AIQ wished to rely on the consent obtained by those foreign clients for its own collection, use, and disclosure of personal information on their behalf, it would need to ensure that such consent was sufficient, under Canadian or BC law as the case may be, for its purposes.

This quote speaks to a time-old question about whether the use of a commercial service provider can cause activity that would otherwise not be regulated to become subject to Canadian privacy law. This question is of particular concern to provincially regulated employers, who are not subject to federal privacy legislation in respect of employment but often use service providers to help with employment administration.

The Federal Court’s decision in State Farm suggests that the mere engagement of a service provider is not enough to give rise to application (and enforcement jurisdiction). When State Farm was released in 2010 I asked a contact from the OPC how it would interpret State Farm. The answer was, “narrowly,” exactly as the above quote would suggest!

Second, the commissioners make a significant finding about the use of identifying information with Facebook’s “lookalike audience” service – a popular and powerful ad targeting service that involves uploading identifying information about a population (typically of customers) so Facebook can identify and target a lookalike population (of potential customers). The commissioners held that authorization to use personal information for “engagement” purposes was not authorization for “data analytics” purposes, stating:

It is also the case that the privacy notice largely speaks to collecting and using personal information for the purpose of engaging supporters in the campaign and performing services on their behalf. The disclosure of individuals’ personal information to Facebook for data analytics, via its “lookalike audience” feature, does not achieve or relate to either of those objectives. Instead, this disclosure is made to allow Facebook to link supporters to their Facebook profiles and analyze those profiles in order to identify, target, and persuade other similar or like-minded individuals. This is for Vote Leave’s benefit and can certainly not be viewed, in any way, as performing a service on behalf of the voter whose information was processed.

Organizations using the Facebook lookalike service or similar services should pay heed and revisit their source of authorization. More broadly, this quote speaks to the HUGE question, “Is using data to generate insights about a population a use of personal information at all?” The quote suggests the commissioners say “yes,” though there is a reference to data matching done by Facebook that may render this scenario unique. (I like to believe the answer is “no.”)

Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, 2019 CanLII 111872 (PCC).

Threat Exchanges and FOI Legislation

Here’s the second paper that relates to the panel I will be sitting on later this week. It is a collection of FOI case digests about the hacking threat with a covering thesis about the need for greater protection from disclosure. This one particularly caught my interest and includes some ideas I will come back to. Enjoy, and again, please send comments by PM.

 

Legal Privilege and Data Security Incident Response – Law and Practice

I’m off to a cyber conference in Montreal this week to sit on a panel about threat exchanges. My role will be to address the legal risks associated with sharing threat information and a university’s ability to effectively assert a confidentiality interest in the same information. I’m genuinely interested in the topic and have prepared not just one, but two papers!

Here is the first one – a nuts and bots presentation on privilege and data security incident response. I hope it is useful to you. Feedback welcome through PMs.

What’s significant about the Loblaw report

I finally got around to reading the @PrivacyPrivee report of findings on Loblaw’s manner of authenticating those eligible for a gift card. The most significant (or at least enlightening) thing about the report is that the OPC held that residential address, date of birth, telephone number and e-mail address were, together, “sensitive.” It did so in assessing the adequacy of the contractual measures Loblaw used in retaining a service provider for processing purposes. It said:

  1. The contract also provided guarantees of confidentiality and security of personal information, and included a list of specific safeguard requirements, such as: (i) implementing measures to protect against compromise of its systems, networks and data files; (ii) encryption of personal information in transit and at rest; (iii) maintaining technical safeguards through patches, etc.; (iv) logging and alerts to monitor systems access; (v) limiting access to those who need it; (vi) training and supervision of employees to ensure compliance with security requirements; (vii) detailed incident response and notification requirements; (viii) Loblaw’s pre-approval of any third parties to whom JND wishes to share personal information, as well as a requirement for JND to ensure contractual protections that are at a minimum equivalent to those provided for by its contract with Loblaw; and (ix) to submit to oversight, monitoring, and audit by Loblaw of the security measures in place.
  2. As outlined above, the additional ID’s requested by the Program Administrator were collected through a secure channel (if online) or by mail, verified and then destroyed.
  3. In our view, given the limited, albeit sensitive, information that was shared with the Program Administrator, as well as the limited purposes and duration for which that information would be used, Loblaw’s detailed contractual requirements were sufficient to ensure a level of protection that was comparable to that which would be required under the Act. Therefore, in our view, Loblaw did not contravene Principle 4.1.3 of Schedule 1 of the Act.

Residential address, date of birth, telephone number and e-mail address is a set of basic personal information. In analyzing it, one must recall the “contact information” that the Ontario Superior Court of Justice said was not “private” enough to found a class action claim in Broutzas.

Don’t be misled, though. The OPC made its finding because Loblaw was engaged in authentication, and collected a data set precisely geared to that purpose. The potential harm – identity theft – was therefore real, supporting finding that the data set as a whole was sensitive. Context matters in privacy and data security. And organizations, guard carefully the data you use to identify your customers.

Federal Court says firearm serial numbers not personal information

On October 9th, Justice McHaffie of the Federal Court held that firearm serial numbers, on their own, are not personal information. His ratio is nicely stated in paragraphs 1 and 2, as follows:

Information that relates to an object rather than a person, such as the firearm serial numbers at issue in this case, is not by itself generally considered personal information”since it is not information about an identifiable individual. However, such information may still be personal information exempt from disclosure under the Access to Information Act, RSC 1985, c A-1 [ATIA] if there is a serious possibility that the information could be used to identify an individual, either on its own or when combined with other available information.

The assessment of whether information could be used to identify an individual is necessarily fact-driven and context-specific. The other available information relevant to the inquiry will depend on the nature of the information being considered for release. It will include information that is generally publicly available. Depending on the circumstances, it may also include information available to only a segment of the public. However, it will not typically include information that is only in the hands of government, given the purposes of both the ATIA and the personal information exemption.

This is not a bright line test, though Justice McHaffie did say that the threshold should be more privacy protective than if the “otherwise available information” requirement was limited to publicly available information or even information available to “an informed and knowledgeable member of the public.”

Canada (Information Commissioner) v Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).