Newfoundland court recognizes intrusion upon seclusion tort

In somewhat strange circumstances, the Supreme Court of Newfoundland and Labrador has recognized the intrusion upon seclusion privacy tort.

The Court made its recognition in deciding a procedural motion in a Municipal Elections Act appeal by two City of Mount Pearl councillors who were sanctioned for not disclosing a conflict of interest. The alleged conflict arose out of their discussions with the Town’s former CAO while he was on administrative leave and the subject of a harassment investigation.

The City had discovered the conflict after it seized the CAO’s work iPad, which was still sending snippets of messages from the CAO’s personal Facebook Messenger account to the iPad’s home screen. Staff from IT saw the troubling messages, gave the iPad to the Clerk who saw more troubling messages, and the City eventually downloaded the messages for its use as evidence. At some point later, the messages were leaked to the CBC.

Whether the common law right of action for intrusion upon seclusion exists in Newfoundland had not yet been determined but was certified as a common issue in Hynes v. Western Regional Integrated Health Authority, 2014 NLTD(G) 137. Here, the Court held that the province has “a common law tort for intrusion upon seclusion” and that it “coexists with rights created under the [Newfoundland and Labrador] Privacy Act.”

Not surprisingly, in light of the Supreme Court of Canada decision in R v Cole, the Court found a privacy expectation that warranted protection, though its analysis on this point bleeds into its finding that the City’s actions were “highly offensive.” It went on to exclude the messages from the appeal record on the basis of its procedural power.

I might have thought this was a closer case than the outcome suggests, but privacy is such a subjective concept that it’s hard to predict how a judge will view a matter. It’s also another case about using a work computer to access content in a private cloud account, which apparently touches a judicial nerve.

Hindsight is 20/20, but as the judge said, the City could have stopped once it viewed the snippets and used the observations made by IT and the Clerk to request access from the CAO (who was presumably still employed and with a duty to cooperate and who faced a possible adverse inference). I would be concerned about the potential destruction of evidence – all stored in the CAO controlled account – but (unfortunately) the Court did not consider this factor.

Power v. Mount Pearl (City), 2022 NLSC 129 (CanLII).

Intrusion upon seclusion is an intentional tort – Ont CA

The Court of Appeal for Ontario has addressed an important point about the intentionality element in the intrusion upon seclusion tort.

The Court dismissed an appeal by a nurse who claimed her employer’s liability insurer had a duty to defend her from claims that arose out of her unauthorized access to patient information. The issue was whether policy language limiting coverage for “expected” or “intended” injury applied, which required the Court to analyze whether an allegation that one has committed the intrusion tort is an allegation of intentional conduct.

The Court said “yes,” and made clear that recklessness is a form of intentional conduct:

Although the Jones decision does not contain a definition of “reckless,” it places reckless conduct side-by-side with intentional or deliberate conduct. Jones adopted the Restatement’s formulation of the tort as involving an intentional intrusion. As well, the decision limited claims for intrusion upon seclusion only to “deliberate and significant intrusions of personal privacy”: Jones, at para. 72. One cannot tease from the discussion in Jones any support for the proposition advanced by Ms. Demme that Jones’ inclusion of a reckless act within the tort of intrusion upon seclusion could involve unintentional conduct.

The Court also articulated the precise state of mind that meets the intentionality element:

For that tort, the relevant intention is the defendant’s intention to access private patient records. If that is demonstrated, the nature of the tort is such that the intention to access the records amounts to an intention to cause injury.

The appellant had argued that she lacked the intent to cause injury and therefore ought to have been covered.

Demme v. Healthcare Insurance Reciprocal of Canada, 2022 ONCA 503 (CanLII).

IPC upholds university vaccination policy

On April 5th, the Information and Privacy Commissioner/Ontario affirmed a University of Guelph requirement that students in residence for the 2021/2022 academic year be fully vaccinated.

The IPC has jurisdiction to consider whether a public body’s collection of personal information is “necessary” to a lawfully authorized activity based on the Freedom of Information and Protection of Personal Privacy Act. The necessity test has been endorsed by the Court of Appeal for Ontario as strict. Where personal information would merely be helpful to the activity, it is not “necessary” within the meaning of FIPPA. Similarly, where the purpose can be accomplished another way, a public body is obliged to chose the other route.

The IPC’s affirmation of the University’s policy (and its collection of personal information) rested heavily on a letter the University had received from the Wellington-Dufferin-Guelph Health Unit in July 2021. It said:

I am writing to recommend in the strongest possible terms that the University of Guelph require a full (two-dose) course of COVID-19 vaccines for all students living in residence during the 2021-22 school year. Additionally, the University should continue to recommend strongly that all other students, faculty and staff receive both doses of the vaccine.
Students beginning or returning to their studies this fall are looking forward to a safe and relational post-secondary experience. Adding this significant layer of protection will help create a more normal fall on campus. Strong vaccination rates across the University are an important part of student physical and mental well-being, and should contribute peace of mind to all Gryphons.

The IPC affirmation is significant not only because it supports a vaccine mandate based on the strict FIPPA necessity standard, but also because of its adoption of this letter and its reasoning. While mandates must certainly be based on science that establishes that vaccination reduces the risk of exposure, the privacy commissioners, labour arbitrators and judges who will continue to be called upon to evaluate mandates must recognize that they are also based on a need for stability and mental well-being.

We thought we were though the pandemic, and are now in Wave Six. Will there be a Wave Seven? And although the province is trying to give us the stability we all crave by committing to laissez faire policy, why should our public bodies be precluded from adopting stable, medium-term policy that prioritizes safety?

University of Guelph (Re), 2022 CanLII 25559 (ON IPC).

A call to modernize public sector privacy statutes without inviting litigation

The wave of public sector reform is coming, so it’s time to start thinking and talking about they best way achieve strong privacy protection in the Ontario public sector. I had the honour of participating the University of Toronto’s Privacy Day celebration yesterday, including by sitting on a panel and giving the short prepared remark below. I’m all for privacy protection and modernization, but the implementation of administrative monetary penalties in the Ontario public sector (like now in Quebec) would fundamentally change the relationship between the Ontario public sector and its regulator and not serve the public or education sectors well.

View this document on Scribd

What’s not to say about Sherman Estate?

We all know that the Supreme Court of Canada decided Sherman Estate v Donavan on June 11th. I just got to it today, and was surprised at its significance to information and privacy law beyond the open courts principle itself. Here is a quick note on its three most salient broader points.

The Court held that records filed in court by estate trustees seeking probate ought not to have been sealed given the presumption of openness that applies to all court proceedings. In doing so, however, it recognized for the first time that privacy alone (whether or not it encourages access to justice) could be “an important public interest” that warrants a departure from the presumption.

Point one – sensitive information is information linked to the biographical core

Most significantly, the Court said that not any privacy interest will qualify. Privacy is such a subjective, difficult and confused concept that many individuals with genuinely felt “sensibilities” must be precluded from claiming that their privacy interest weighs against the openness of a court proceeding. A privacy interest only qualifies as “an important public interest” if the information at stake is “sufficiently sensitive such that it can be said to strike at the biographical core of the individual.”

The biographical core is a concept first articulated in R v Plant in 1993 and has since been criticized by privacy advocates as a concept that limits privacy protection. Yet here it is, front and centre as the limitation on privacy that will now protect the transparency of our justice system. The Court links the biographical core to the protection of human dignity, as it explains in the following paragraph:

Violations of privacy that cause a loss of control over fundamental personal information about oneself are damaging to dignity because they erode one’s ability to present aspects of oneself to others in a selective manner (D. Matheson, “Dignity and Selective Self-Presentation”, in I. Kerr, V. Steeves and C. Lucock, eds., Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society (2009), 319, at pp. 327‑28; L. M. Austin, “Re-reading Westin” (2019), 20 Theor. Inq. L. 53, at pp. 66‑68; Eltis (2016), at p. 13). Dignity, used in this context, is a social concept that involves presenting core aspects of oneself to others in a considered and controlled manner (see generally Matheson, at pp. 327‑28; Austin, at pp. 66‑68). Dignity is eroded where individuals lose control over this core identity‑giving information about themselves, because a highly sensitive aspect of who they are that they did not consciously decide to share is now available to others and may shape how they are seen in public. This was even alluded to by La Forest J., dissenting but not on this point, in Dagg, where he referred to privacy as “[a]n expression of an individual’s unique personality or personhood” (para. 65).

The term “fundamental personal information” used here is sure to be re-used by privacy defence counsel to deal with disputes about sensitivity. And although the Court stressed again and again that its reasoning was made for the open courts context, we need the authority. The concept of sensitivity is as confused as any aspect of privacy law. The Office of the Privacy Commissioner of Canada finds personal information to be sensitive in virtually every one of its reports. It has found home address information sensitive, for example, yet the Ontario Superior Court of Justice held that home address information doesn’t warrant common law privacy protection. Sherman Estate is going to be helpful to those of us who are striving for a clear and predictable boundary to privacy claims.

Point two – the concept of privacy is a mess

The Court has already said that privacy is “somewhat evanescent” (Dagg) and “protean” (Tessling), and has noted that scholars have criticized privacy as being a concept in “theoretical disarray” (Spencer). In Sherman Estate, the Court revisits this criticism and, for the first time, clearly applies it to limit the scope of privacy protection. It says:

Further, recognizing an important interest in privacy generally could prove to be too open‑ended and difficult to apply. Privacy is a complex and contextual concept (Dagg, at para. 67;see also B. McIsaac, K. Klein and S. Brown, The Law of Privacy in Canada (loose‑leaf), vol. 1, at pp. 1‑4;D. J. Solove, “Conceptualizing Privacy” (2002), 90 Cal. L. Rev. 1087, at p. 1090). Indeed, this Court has described the nature of limits of privacy as being in a state of “theoretical disarray” (R. v. Spencer, 2014 SCC 43, [2014] 2 S.C.R. 212, at para. 35). Much turns on the context in which privacy is invoked. I agree with the Toronto Star that a bald recognition of privacy as an important interest in the context of the test for discretionary limits on court openness, as the Trustees advance here, would invite considerable confusion. It would be difficult for courts to measure a serious risk to such an interest because of its multi-faceted nature.

This is another very important paragraph for privacy defence counsel. I have relied on the first chapter of Daniel Solove’s Understanding Privacy more than once in a factum as a means of inviting a conservative response to a novel privacy matter. Now we have clear Supreme Court of Canada authority on point.

Yes I am arguing against privacy protection, but it is because I deeply crave clarity. Organizations are faced all manner of novel and bold privacy claims, the merits of which are too difficult to assess. We need a clearly defined limit to what counts as a privacy interest worthy of legal protection, whatever it is. This is another reason Sherman Estate is good: the first step to healing is to admit you have a problem!

Point three – a step towards unification, and a half step back

This is why it is so disappointing that the Court keeps saying that privacy is in theoretical disarray without taking up the challenge of fixing the problem.

As I’ve explained, it repeatedly tied its reasoning to the open courts context, and although it took the novel step of relying on Charter jurisprudence to help with its delineation, the Court felt it necessary to make clear that a reasonable expectation of privacy protected by section 8 of the Charter is different.

I pause here to note that I refer to cases on s. 8 of the Charter above for the limited purpose of providing insight into types of information that are more or less personal and therefore deserving of public protection. If the impact on dignity as a result of disclosure is to be accurately measured, it is critical that the analysis differentiate between information in this way. Helpfully, one factor in determining whether an applicant’s subjective expectation of privacy is objectively reasonable in the s. 8 jurisprudence focuses on the degree to which information is private (see, e.g., R. v.Marakah, 2017 SCC 59, [2017] 2 S.C.R. 608, at para. 31; Cole, at paras. 44‑46). But while these decisions may assist for this limited purpose, this is not to say that the remainder of the s. 8 analysis has any relevance to the application of the test for discretionary limits on court openness.

Privacy shouldn’t have a different meaning in the open courts context and the Charter context and the common law/civil context. Why should it? It’s a fundamental right is it not? Has all the talk about contextual significance caused us to be too conservative? Lazy, even? Certainly facts can be assessed in their proper context under a unified concept?

We have unified our reading of differently worded anti-discrimination statutes to provide for clear and strong law across the Country given the importance of human rights protection. I fail to see why we are so hesitant to unify our privacy law.

Sherman Estate is therefore a good decision in my eyes, but not great, and there is more work to be done.

Sherman Estate v. Donovan, 2021 SCC 25 (CanLII).

[This is a personal blog, and these are my views alone. They do not reflect the views of my firm or colleagues.]

Alberta OIPC finds Blackbaud incident gives rise to RROSH

Hat tip to my good colleague Francois Joli-Coeur, who let our group know yesterday that the OIPC Alberta has issued a number of breach notification decisions about the Blackbaud incident, finding in each one that it gave rise to a “real risk of significant harm” that warrants notification and reporting under Alberta PIPA.

Blackbaud is a cloud service provider to organizations engaged in fundraising who suffered a ransomware incident last spring in which hackers exfiltrated the personal information of donors and educational institution alumni. The true scope of the incident is unknown, but likely large, affecting millions of individuals across the globe.

Blackbaud issued notably strong communications that de-emphasized the risk of harm. It rested primarily on the payment of a ransom, assurances by the threat actors that they would delete all data in exchange for payment and its ongoing dark web searches. Most affected institutions (Blackbaud clients) notified anyway.

On my count the OIPC issued seven breach notification decisions about the incident late last year, each time finding a “real risk.” In a decision involving an American college with donors or alumni in Alberta, the OIPC said:

In my view, a reasonable person would consider the likelihood of significant harm resulting from this incident is increased because the personal information was compromised due to a deliberate unauthorized intrusion by a cybercriminal. The Organization reported that the cybercriminal both accessed and stole the personal information at issue. The Organization can only assume that cybercriminal did not or will not misuse, disseminate or otherwise make available publicly the personal information at issue.

This is not surprising, but tells us how the OIPC feels about the assurance gained from paying a ransom to recover stolen data.

See e.g. P2020-ND-201 (File #017205).

Developmental service agency not a health information custodian

On October 29th, the Information and Privacy Commissioner/Ontario held that an organization operating as service agency under the Services and Supports to Promote the Social Inclusion of Persons with Developmental Disabilities Act is not a health information custodian under the Personal Health Information Protection Act.

The issue of the organization’s status came up in an appeal of its access decision. The organization acted as if subject to PHIPA, but the adjudicator raised its status as a preliminary issue, and ultimately held that PHIPA did not govern the request because the organization was not providing a service for community health “whose primary purpose is the provision of ‘health care’.”

Although the organization both handles medical information in providing its services and contributes to the enhancement of individual health, the IPC held that its primary role is the coordination of service and not the provision of health care. It explained:

[34] In my view, what is common to each of the six services offered by SCS is SCS’ role as a coordinator for, or link to, a wide range of services offered by third parties to individuals with developmental disabilities and/or autism. It is a role of coordination between these individuals (or their family members) and third-party services, which may include assessing each individual’s needs and/or preferences, and matching them to various types of programs in the community. The effect of the individuals’ participation in those third-party programs may well be that it enhances their health, but that does not transform SCS’ role into one that can be described as having a primary purpose of providing health care. In my view, it would be too broad a reading of “health care” to find that SCS’ primary purpose is the provision of health care.
[35] It is true that SCS serves members of the community who have health challenges. The complainant states that these individuals “have other health issues including mental and neurological diagnoses, speech-language impairments and complex health needs often requiring 24 hours supervision.” However, the fact SCS’ client base has health challenges does not mean that SCS’ primary purpose is the delivery of health care. With respect to the status of third party entities to whom SCS refers for services, I am not satisfied that their status is relevant to the question of whether SCS itself is a HIC. Assuming, without deciding, that at least some of those third party entities are HICs under PHIPA, that does not mean that SCS itself, as a coordinating agency, is a HIC.

This is a good reminder that organizations do not become health information custodians merely by handling medical information or by employing regulated health professionals. They must engage in the provision of “health care,” which the IPC has defined narrowly in this decision and others.

Service Coordination Support (Re), 2020 CanLII 85021 (ON IPC).

Three (literal) highlights from the IPC Ontario submission

If Ontario follows through with its commitment to enact privacy legislation, the IPC/Ontario will break from her current constraints to become a privacy regulator with global relevance. We ought to listen carefully to what she is saying about reform and build a strong sense as to how she is inclined.

On October 16th, Commissioner Kosseim filed her submission to the province. It is detailed, thoughtful and strikingly moderate. It has no talk of the concept of “fundamental human rights” that has drawn the attention of the federal commissioner. Rather, the Commissioner says that balancing privacy rights with legitimate business needs is a “virtue.”

Read the submission yourself, but here are the three parts of it that I highlighted in my own read.

First, the Commissioner says we need to reframe the role of consent and develop more principled exceptions, but consent should still be at the top of the hierarchy of the bases for processing:

Some might propose that the solution lies in a GDPR-like architecture by adopting multiple grounds for lawful processing of data, whereby consent is only one such ground on the same and equal footing as other alternative bases. However, we believe that non-governmental organizations should first be required to consider whether they can obtain meaningful consent and stand ready – if asked – to demonstrate why they cannot or should not do so before turning to permissible exceptions for processing. This approach would be more in keeping with Ontario values that promote individual autonomy and respect consumer choice. Whenever it is reasonable, appropriate, and practicable for people to decide for themselves, they should be given the opportunity to do so.

Second, the Commissioner is clearly interested in AI and its implications and clearly sees value in fostering data-driven innovation, though does not propose any solutions, calling the handling of data-driven innovation “the most challenging piece to get right in any new private sector privacy law.” Here’s my highlight on this issue:

While Purpose Specification, Consent, and Collection Limitation continue to be relevant principles, a more modern private sector privacy law would need to reconsider the weight ascribed to them relative to other principles in certain circumstances. For example, in an era of artificial intelligence and advanced data analytics, organizations must rely on enormous volumes of data, which runs directly counter to collection limitation. Data are obtained, observed, inferred, and/or created from many sources other than the individual, rendering individual consent less practicable than it once was. The very object of these advanced data processes is to discover the unknown, identify patterns and derive insights that cannot be anticipated, let alone described at the outset, making highly detailed purpose specification virtually impossible.

Finally, nobody should underestimate the significance of the potential for Ontario employers to become regulated in respect of their employees. On this issue, the Commissioner’s position is clear:

Individuals should have the ability to perform their jobs with the confidence that their employer will keep them safe, while also respecting their privacy rights. Accordingly, we recommend that any private sector privacy law in Ontario should apply to all employee personal information to fill this glaring gap in privacy protection.

IPC Comments on the Ontario Government’s Discussion Paper, IPC/Ontario, 16 October 2020.

UK Court of Appeal causes re-set for facial recognition surveillance

On September 11th, the England and Wales Court of Appeal held that the South Wales Police Force violated Article 8 of the European Convention on Human Rights and the UK Equality Act 2018 by using facial recognition software on two occasions. The finding is narrow, though, and leaves facial recognition technology open to police use.

The police piloted facial recognition technology on two occasions. They were governed by the Data Protection Act 2018, a surveillance “code of practice” issued under the protection of Freedoms Act 2012 and written local police policy. The police also conducted a data protection impact assessment and a (somewhat limited) equality impact assessment.

The police conducted overt facial recognition surveillance under this framework based on pre-deployment notice made, in part, via advertising and via notices posted on the police cars equipped with facial recognition cameras. On two occasions the police collected images for an entire day and matched the images against images in “watch lists” comprised of persons wanted on warrants, persons identified as suspects and other persons of interest. The police used human validation to screen matches, which led them to make two arrests on one occasion and no arrests on another. Significantly, the police immediately disposed of images of all persons who did not match.

The Court found the deployment to have been unlawful based on two problems, both problems of process rather than fundamental problems.

First, the Court held that the deployments were not sufficiently prescribed by law to justify an infringement of Article 8 (which protects the right to privacy). More specifically, it held that the legal framework for the deployments left too much discretion to the police as to who may be placed on a watch list, in particular for intelligence gathering purposes. The police failure to reckon with this aspect of the technology and surveillance program also led the Court to conclude that its data privacy impact assessment was inadequate.

Second, the Court held that the police did not conduct an adequate equality impact assessment, which it held requires “the taking of reasonable steps to make enquiries about what may not yet be known to a public authority about the potential impact of a proposed decision or policy on people with the relevant characteristics, in particular for present purposes race and sex.” The police ought to have, the Court said, assessed the facial recognition software to determine if it resulted in “unacceptable bias,” even if human validation was to be a feature of the matching process.

Notably, the Court held (in obiter) that the police infringement of Article 8 rights was justifiable in regards to the relative consequences and benefits of the surveillance scheme, calling the impact on Article 8 rights “negligible.”

As noted, this leaves facial recognition technology open to police use in the UK. Use for intelligence gathering purposes may be more questionable than use for investigatory purposes.

Bridges, R (On the Application Of) v South Wales Police [2020] EWCA Civ 1058 (11 August 2020).

IPC wades into shadow IT mess, may never again

The Information and Privacy Commissioner/Ontario issued a decision about a security incident on July 9th in which it made clear, after participating in a health information custodians’ efforts to recover lost data, that this burden falls on custodians alone.

The incident involved a clinician at an unnamed rehabilitation clinic and her estranged spouse, who reported to the clinic that he possessed 164 unique files containing the personal health information of 46 clinic clients on two computers that belonged to the clinician. The clinician explained the existence of the files as a by-product of secure access and inadvertent, though the the files appear to have been purposely moved from temporary storage to a Google drive at some point, possibly by the spouse

The spouse was not particularly cooperative. This led the IPC, who the clinic had notified, to engage with the spouse together with the clinic over a several month period. The IPC took the (questionable) position that the spouse was in breach of duties under section 49(1) of PHIPA.

In the course of these dealings the spouse reported he had also received e-mails with attached assessment reports from the clinician for printing purposes. The clinician said she had thought she had adequately de-identified the reports, though one included a full patient name and others (as the IPC held) contained ample data to render patients identifiable.

All of the detritus was eventually deleted to the satisfaction of the clinic and IPC. The clinic reconfigured its means of providing secure remote access to adresses the risk of local storage and beefed up its administrative policies and training. There is no mention of implementing a digital loss prevention solution.

The IPC decision is notable for two points.

First, the IPC made clear that custodians should not rely on the IPC to help with data recovery (which can be very expensive):

It is clear that interactions between the Clinic and the Spouse had been very challenging, chiefly due to the Spouse’s changing positions throughout this investigation. However, the obligations on a health information custodian to contain the breach remain, even in the face of challenging circumstances. The Privacy Breach Guidelines are clear that there is an obligation on the health information custodian to retrieve any copies of personal health information that have been disclosed and ensure that no copies of personal health information have been made or retained by anyone who was not authorized to receive the information. Nothing in the legislation or these guidelines transfers this obligation to the IPC.

Second, the clinic was less skeptical of the clinician than it might otherwise have been, and did not issue discipline. The IPC accepted this, and re-stated its deferential position on employee discipline as follows:

With respect to the Clinic’s decision, I am satisfied that it was reasonable in the circumstances. This office has stated that its role is not to judge the severity or appropriateness of sanctions taken by a custodian against its agents (see PHIPA Decision 74). However, the IPC can taken into account a custodian’s disciplinary response as part of its assessment of whether the custodian has taken reasonable steps to protect personal health information against unauthorized access.

A Rehabilitation Clinic (Re), 2020 CanLII 45770 (ON IPC).