Author: Dan Michaluk

Case Report – BCCA says statutory privilege not a barrier to production

On October 9th, the British Columbia Court of Appeal held that the privilege in section 517(5) of the Canada Elections Act is not a bar to production.

The section deems the fact that a person entered into a compliance agreement and any statement in a compliance agreement that admits responsibility for a violation of the Act to be inadmissible as evidence. The Court held that the provision only deems evidence to be inadmissible and does not bar production. It also held that the information, in the circumstances, was not subject to litigation privilege.

Ontario courts have read the statutory privilege governing an Ontario Student Record similarly. See, for example, the McNeil case.

Lougheed Estate v. Wilson, 2009 BCCA 438.

Couple posts on Slaw.ca of interest

I’ve posted two pieces  on privacy over at slaw.ca in the last two weeks. The first is a critique of the federal, B.C. and Alberta privacy commissioner’s H1N1 guidance. The second, from today, is an interview I conducted with Melanie Bueckert, author of the recently published book, “The Law of Employee Monitoring in Canada.” Check them out when you can!

Case Report – RCMP allowed to access flight manifest without a warrant

On November 6th, the Nova Scotia Court of Appeal held that the RCMP did not conduct an unreasonable search by reviewing a WestJet passenger manifest without a warrant and without making a formal request.

The context and the background

The issue of law enforcement’s access to personal information held by business organizations has arisen in a number of recent criminal cases, and it is becoming common for courts to judge the reasonableness of a police search in light of standards set by PIPEDA. PIPEDA restricts regulated organizations from disclosing personal information without consent, but includes the following key exemption:

7(3) For the purposes of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge and consent of the individual only if the disclosure is…

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province…

In this case, the RCMP reviewed a passenger manifest from a domestic flight, identified a passenger who had paid by cash shortly before the flight and who only had one piece of luggage and proceeded to search that passenger’s luggage. It found drugs and laid charges.

Trial judge finds Charter breach

In December of last year, Mr. Justice Simon MacDonald of the Nova Scotia Supreme Court held the RCMP breached PIPEDA because it did not make a “request” required by section 7(3)(c.1) given its “cozy” relationship with WestJet:

It might be a fair comment to say the officers had assumed they had permission to look at the manifest from their daily discussions and associations with the staff at Westjet.  However, in my mind that is not a satisfactory answer to the problem.  There were certain obligations upon the RCMP officers in reviewing the manifest which were legislated under PIPEDA and applied when they went to look at this manifest without a warrant.  Mr. Plimmer said Westjet put a protocol on procedures in place for the police to follow in order to see manifests.  The police were aware of the procedure they had to follow.  I find they didn’t do so in this case, but rather cavalierly walked into Westjet and simply started looking at manifests.

In addition to signaling that the procedural requirements in section 7(3)(c.1) are likely to be read strictly, the trial judgement was notable for its close consideration of WestJet’s privacy policy. The policy said that WestJet might be “required by legal authorities” to disclose personal information without consent, but did not say that WestJet would voluntarily cooperate with law enforcement. MacDonald J. said the policy “seems to emphasize that WestJet would only collect and disclose what is required by law and nothing more.” This weighed in favour of finding the search to be unreasonable and therefore unconstitutional.

MacDonald J. then excluded the evidence based on an application of the Collins test.

Court of Appeal disagrees

The Court of Appeal held that MacDonald J. erred by finding that the RCMP did not have legal authority for the collection of information and by equating a breach of PIPEDA with a breach of the Charter right to be free from unreasonable search and seizure. It then conducted its own contextual expectation of privacy analysis and held that section 8 of the Charter was not engaged in the circumstances. It noted the following in its analysis:

  • It could not infer a subjective expectation of privacy given the information used by the RCMP was not particularly private – that is, the defendant purchased a ticket from Vancouver to Halifax at the last minute with cash and checked a single bag all in public view.
  • The place searched was a third-party’s office, not a home or not even a business premises.
  • Westjet’s privacy policy, with its reference to being “required by authorities” to disclose certain information, was nonetheless a warning to passengers.
  • Given the exception to the consent rule in section 7(3)(c.1)(ii), PIPEDA does not support an expectation of privacy.
  • The police tactic was limited, in that the RCMP relied on a drug courier profile and sought only information that fit that profile.
  • The information collected by the RCMP did not go to the defendant’s “biographical core” of information. The Court said it “amounted to no more than Westjet’s record of Mr. Chehil’s public activities in transacting business with the airline.”
  • The fact that the passenger record had a space where more sensitive personal information could be entered (e.g. food preferences) did not support an expectation of privacy. The Court said this fact was too theoretical to count.

Thanks to David Fraser for the tip on this important case.

R. v. Chehil, 2009 NSCA 111.

Case Report – Fed Court comments on jurisdiction to receive ATIA applications

On October 13th, the Federal Court had an opportunity to comment on its jurisdiction to receive applications for review under section 41 of the Access to Information Act. It held that the Court’s jurisdiction is based on a “genuine and continuing claim of refusal of access.” This supported a finding that it had no jurisdiction to (a) hear an application about a series of requests that were deemed to be refused but, through a series of events, answered by the time the application was filed and (b) reprimand the responding institution for delay.

Statham v. Canadian Broadcasting Corp., 2009 FC 1028.

Case Report – Court denies ex parte motion to preserve Facebook

On October 29th, Price J. of the Ontario Superior Court of justice denied a motion for an ex parte order for preservation of a plaintiff’s Facebook.

The motion was brought by a defendant to a personal injury claim. It brought its motion ex parte on the basis that the plaintiff would be likely to destroy evidence if notified. It therefore had to meet the three-part test from R.J.R.-MacDonald in order to receive interim relief pending a return to court to deal with the matter of production. The Defendant brought its motion on the strength of several photos it had obtained from non-password protected Facebook pages. These showed the plaintiff  after the date of the accident doing things that were arguably consistent with her claim for damages in respect of a significantly curtailed lifestyle – i.e. the pictures showed her sitting and reclining on a floor. Neither these photographs nor any other records from the plaintiff’s Facebook were disclosed in her Affidavit of Documents.

The Court held that the defendant had not adduced any evidence that allowed it to conclude that the plaintiff’s Facebook was likely to contain relevant information and that it would not infer from the nature of the Facebook service that the plaintiff’s Facebook was likely to contain such information. On the inference, Price J.’s decision ought to be viewed to be in conflict with the Court’s prior decisions in Leduc v. Roman and Wice v. Dominion General Insurance Company of Canada. Price J. says:

I do not regard the mere nature of Facebook as a social networking platform or the fact that the Plaintiff possesses a Facebook account as evidence that it contains information relevant to her claim or that she has omitted relevant documents from her Affidavit of Documents. The photographs that the Defendant has obtained from the Plaintff’s account in the present case do not appear, on their face, to be relevant.

Price J. did grant leave to cross-examine the plaintiff on her Affidavit of Documents. He forgave the defendant for not doing so at the plaintiff’s examination for discovery “because Facebook is a relatively recent phenomenon” but specified that the defendant would pay the costs of the examination should it prove fruitless.

Finally, in addressing the balance of convenience, Price J. made the following statement about the balance of convenience:

The Plaintiff has set her Facebook privacy settings to private and has restricted its content to 67 “friends.” She has not created her profile for the purpose of sharing it with the general public. Unless the Defendant establishes a legal entitlement to such information, the Plaintiff’s privacy interest in the information in her profile should be respected.

The concept (reflected in this paragraph) that an expectation of privacy can be maintained despite a limited disclosure of information is supported by privacy advocates, but is not often accepted by courts.

Schuster v. Royal & Sun Alliance Insurance Company of Canada, 2009 CanLII 58971 (S.C.J.).

Information Roundup – 1 November 2009

Here are some links you may find interesting!

You may have noticed that I’ve slowed down posting. This is not because I’ve tired of the blog, but because of my new commitment to Slaw.ca and my new expanded family. Both new commitments are very rewarding, especially new life with Hugs and Pens (below). Please keep coming back.

See ya!

Dan

IMG_0897

IMG_0882

Cloud Computing – 2009 Ontario Access and Privacy Worksop

I presented to a great audience of access and privacy professionals today at the 2009 Ontario Access and Privacy Workshop. My slides are below.

To give this presentation I had to answer for myself whether outsourcing to the cloud is the same as any other data processing outsourcing. I settled on, “not quite” and argued outsourcing to the cloud is different because (1) it will usually be a cross-border outsourcing, which comes with a special set of considerations (especially for government) and (2) the cloud service provider’s business model may not be flexible enough to allow for it to meet an organization’s need to satisfy specific data security requirements.

I’m not a cloud basher. I’ve argued here that one of the legal concerns about outsourcing to the cloud is poorly founded and also have have concerns that the cross-border data transfer issue is a bugaboo. However, outsourcing to the cloud does seem to be a bit of a different game then entering a one-to-one business relationship with a “normal” data processor. Just some thoughts, which I’d invite comment on below.

Dan

Two significant Ontario FOI cases from 2009

I’ve been preparing a case digest for an upcoming universities conference we’re hosting and summarized these two Ontario FOI cases, both of significance.

April 9th – IPC finds personal e-mails under City’s custody or control

In this order, the IPC held that the City of Ottawa was in custody or control of e-mails its solicitor sent and received in his personal capacity, as a board member of a local Children’s Aid Society. Though acknowledging that the e-mails had nothing to do with City business, it held:

  • The City was in physical possessions of the records, which were stored on its e-mail server.
  • The City had the authority to regulate the use of the e-mail system upon the records were kept even though personal e-mails were excluded from the definition of “business record” under the City’s retention by-law.
  • The City reserved a right to monitor its system for unauthorized use.

The factual basis for this decision is not unique, so it has broad significance for FIPPA and MFIPPA institutions.

The City has filed an application for judicial review.

Order MO-2408, 2009 CanLII 16569 (ON I.P.C.).

August 21st – IPC orders municipality to sue third-party record holder

The IPC issued a compliance order that required a municipality to take “all steps necessary,” including legal action, to obtain records that it decided earlier were under the municipality’s custody or control.

The request was for a model and input data that was in the custody of a third-party consultant who was retained by the municipality to evaluate a proposed landfill site. There was no formal retainer, and after an analyzing the IPC’s traditional “custody or control” factors, in May 2009 the IPC ordered the municipality to “issue a written direction to Jagger Hims to provide the County with the records responsive to the appellant’s request.” The municipality did exactly what the IPC ordered, but the third-party did not cooperate and deliver up the records at issue.

The IPC re-initiated its proceeding. Its compliance order was based in part on a finding that the municipality had a “potent legal basis” for causing the third-party to turn over the records.

Order MO-2449, 2009 CanLII 47235 (ON I.P.C.).

Cloud Computing Presentation at ONAP 2009

I’m honoured to have been invited to present at this year’s Ontario Access and Privacy Workshop on October 26th and 27th in Toronto. The agenda looks great, and if you’re in the Ontario provincial or municipal public sector or in the Ontario broader public sector I’d encourage you to check out the conference site and consider attending. I’ll be speaking on privacy and cloud computing, here’s the abstract:

Cloud computing holds many opportunities as a model for business computing, yet it is also associated with a number of legal issues that have caught the public eye and invite close scrutiny. Join Dan Michaluk from Hicks Morley in taking a focussed look at these issues. Dan will lead a discussion with a view to helping government administrators develop a strong ability to manage legal issues in assessing, planning for and implementing cloud computing projects. Issues such as:

  • Good, bad and ugly cloud computing models
  • Applicable regulation and its impact on cross-border transfers
  • Laying the groundwork for outsourcing – the importance of due diligence
  • The negotiation and the contract
  • The Lakehead University and City of Los Angeles outsourcing projects as case studies

I’ve been out here on a Nova Scotian holiday for the last couple weeks reading up on the issue. I posted this piece over at Slaw as a kind of warm-up, but still have some thinking to do, so if you have thoughts or resources please do send them my way. See you there!

Dan

Case Report – Court finds warantless search for ISP subscriber info unreasonable, admits evidence

On October 2nd, Pringle J. of the Ontario Court of Justice held that the police violated section 8 of the Charter by obtaining the identity of an individual suspected of possessing and sharing child pornography by making simple letter request to an ISP. She also admitted the evidence despite the Charter breach, and in doing so made some significant comments about the impact of terms of service on internet user privacy.

There have been a number of recent Canadian cases about whether the police can investigate internet crime by asking an ISP to reveal the identity of the individual linked to an IP address that is associated with unlawful and anonymous activity. The cases turn on whether this investigatory tactic violates a reasonable expectation of privacy. Two factors have featured strongly in the analysis (1) the nature of the information obtained by the police and (2) the contractual terms between the individual and ISP.

Unlike some other judges who have decided the issue, Justice Pringle held that the nature of the information obtained by a police request to an ISP does go to an individual’s biographical core. She explained that this tactic allows the police obtain the identity of an otherwise anonymous internet user and not simply an ISP subscriber’s name and address:

Once the police accessed Mr. Cuttell’s name and address, they were able to link his identity to a wealth of intensely personal information. Linking his name to the shared folder under his IP address, police learned a great deal about Douglas Cuttell and his lifestyle: namely in this case, his interest in adult pornography, obscenity and child pornography, which were all revealed by his choice of shared files.

Pringle J.’s treatment of the contract is even more significant. Like other judges before her, she held the that a contract between the ISP subscriber and ISP can negate an otherwise reasonable expectation of privacy. In the case before Pringle J., however, the Crown did not prove the specific contract entered into between the defendant and his ISP and therefore failed to negate what Pringle J. called a “premise of confidentiality” regarding one’s ability to engage in anonymous internet use. Her judgement suggests that reliance on ISPs alone does not negate an otherwise reasonable expectation of privacy in anonymous internet use, but the specific terms of service an individual agrees to may change this.

Ultimately, ISP terms of service did have a significant influence on the outcome in this case even though the Crown failed to prove the defendant’s specific contract. Pringle J. decided to admit the impugned evidence despite the proven Charter breach, in part, because ISPs often put customers on notice that they will make disclosures to law enforcement. She said:

I also take into account that while the privacy of subscriber information is important and can provide a critical link to personal information, a subscriber name and address does not have a great deal of intrinsic privacy on its own. As the Crown pointed out, Mr. Cuttell’s name was publicly available on Canada411, and his shared folder was also publicly available to anyone wanting to share child pornography. Many Internet Service Providers appear to contract out of their obligation of confidentiality with subscribers in similar circumstances, and accordingly it would be difficult to argue that there is a high expectation of privacy in this information: see Grant at para. 77.

In conclusion, Pringle J. said that the practice of contracting for disclosure is “unfortunate,” but also suggested that the courts will  often be powerless to grant a Charter remedy in the face of such private action.

Thanks to David Fraser for breaking the news this case. For his related opinion piece on Slaw, click here.

R. v. Cuttell, 2009 ONCJ 471 (CanLII).