Archive | Privacy (Not Workplace) RSS feed for this section

The right to be forgotten comes to Canada

28 Jan

On Friday, the Office of the Privacy Commissioner of Canada issued a new position on the protection of online reputation. In doing so the OPC recognized a right to have personal information de-indexed from search engine results if it is inaccurate, incomplete or out-of-date. Although the position is in draft, is nonetheless of critical significance to Canadians’ use of the internet – creating a broader variant of the so-called European “right to be forgotten.”

The OPC says the right arises out of two longstanding parts of the Personal Information Protection and Electronic Documents Act – Principle 4.6 and section 5(3).

Principle 4.6 is the accuracy principle. It reads as follows:

4.6 Principle 6 — Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.


The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.


An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.


Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 4.6 dovetails in part with Principle 4.9, which requires organizations to “amend” personal information if it is demonstrably “inaccurate or incomplete.” (Principle 4.9 does not mention currency.)

The OPC’s reasoning is simple. Search engines use and disclose personal information to “provide people with access to relevant information from the most reliable sources available.” This purpose is not served by presenting search results that are not accurate, complete or up-to-date. Though accuracy, completeness and currency are they key concepts, the OPC says that search engines should interpret and apply them in light of the how materially the impugned content affects individuals’ interests and the countervailing (public) interest in continued accessibility.

Section 5(3) of PIPEDA restricts organizations to handling personal information for purposes that a “reasonable person would consider are appropriate under the circumstances.” The OPC says that section 5(3) could also be the basis of a valid de-indexing request, giving the following two examples:

  • Where content is unlawful, or unlawfully published (e.g. where it contravenes a publication ban, is defamatory, or violates copyright; etc.)
  • Where the accessibility of the information may cause significant harm to the individual, and there is either no public interest associated with the display of the search result, or the harm, considering its magnitude and likelihood of occurrence, outweighs any public interest

This newly-recognized right invites de-indexing requests to search engines as the primary means of obtaining relief from online reputational harm, though the OPC has also recognized a right to take down content. The right to take down content is a more limited right, in part because the OPC only has jurisdiction over those who publish personal information “in the course of commercial activity.”

The significance of the new position cannot be understated; there are many Canadians who feel plagued by internet posts that are unflattering if not disparaging. Search engines will not embrace this development – leaving a possibility of an enforcement dispute (and Federal Court input) and vigorous lobbying for a legislative amendment. It may take some time, but watch for a Charter challenge.

You can read the draft report here.


In snooping investigations, disclose the logs

21 Dec

When an employer confronts an employee with an allegation of improper access to personal information, it is important to give the employee the event log data that proves the allegation. It may often be voluminous and difficult to interpret, but presenting a general allegation or summarizing events without particulars will give the employee a good reason to deny the allegation.

This is what happened in this very illustrative British Columbia case in which an arbitrator held he could not infer dishonesty from the grievor’s initial failure to admit wrongdoing because the grievor had not been given log data. Also, if an employee continues to deny responsibility, log data can be difficult to rely upon; even if it can be established to be authentic, there are issues about presenting log data in a meaningful and privacy-protective way. An early admission can go a long way.

Fraser Health Authority (Royal Columbian Hospital) v British Columbia Nurses’ Union, 2017 CanLII 72384 (BC LA).

Tribunal errs by ordering disclosure without redaction – right to redaction?

18 Dec

On November 28th the Nova Scotia Court of Appeal held that the Nova Scotia Workers’ Compensation Appeals Tribunal erred by ordering the disclosure of a worker’s entire file without redaction.

The matter was about a workplace safety insurance claim, and particularly whether a worker’s condition was caused by his work. The Tribunal made the order in response to an employer’s objection to various redactions made to a set of records in the possession of the Workers Compensation Board. Although the employer argued the redacted information was relevant, the Tribunal ordered the unredacted file to be produced because it lacked the resources to vet for relevance, because fairness and the “ebb and flow” of a hearing supported full disclosure and because of the difficulty in making relevance determinations.

Despite the obvious appearance of laziness, the Tribunal framed its decision as rooted in procedural fairness. In response, the Court said: “…there is no principle of procedural fairness… that a litigant who requests disclosure is entitled to see every document it requests, regardless of relevance and without a relevance ruling by an impartial arbiter.”

Implicit in this statement is a concern for the worker’s privacy interest. The Tribunal had recognized this interest in a policy manual that it disregarded in making its order, though there are aspects of the Court’s reasoning that suggest a more broadly based right to redaction.

The Court gave this guidance on how to vet for relevance:

The person who vets for relevance must keep in mind that material should be disclosed for its connection to the “proposition[s] being advanced” by the parties, to borrow Justice Rothstein’s phrase, and not merely to justify an anticipated conclusion on the merits of those propositions. The vetting official may not be able to foretell precisely how the evidence will be martialed. So the ambit of disclosure should allow the parties some elbow room to strategize for the engagement.

Baker v. Nova Scotia (Workers’ Compensation Appeals Tribunal), 2017 NSCA 83.

What’s a breach coach?

29 Sep

I hate the term “breach” – please call them “security incidents” – but the term “breach coach” is certainly ingrained. Posting today’s presentation on the role of the coach as I step out the door to an insurance sector event. The simple, self-serving and valid message: call a coach first.

Who’s the HIC?

28 Sep

Who is the “health information custodian” when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here’s a presentation I gave yesterday in which I argue that the institution (and not its employed practitioners) should assume the role of the HIC. Also includes some simple content on the new PHIPA breach notification amendment.

OPC gives guidance, argues for more enforcement power

24 Sep

It’s hard being the Office of the Privacy Commissioner of Canada. The OPC is responsible making sure all is right in commercial sector and federal government sector privacy. It has a pretty small operating budget, yet issues in these sectors are meaty and novel – I dare say harder to deal with than the privacy issues raised in the health and provincial public sectors. More than anything, meeting the OPC mandate is particularly challenging because the mandate is to enforce a principled statute that affords a “right to privacy” that lacks a well-understood meaning.

It is in this context that the OPC issued its 2016-2017 Annual Report to Parliament. The report includes a 24 page “year in review” on PIPEDA that follows the OPC’s public consultation on informed consent and some polling work that shows 90% of Canadians are concerned about their privacy. The OPC concludes that the PIPEDA commercial sector regime is at a crossroads – making some suggestions about new directions, giving some practical guidance and arguing for more enforcement power.

This post is to highlight the most significant new directions and practical guidance and to provide a short comment on the argument for more enforcement power.

The most significant new directions and practical guidance:

  • The OPC will expect organizations to address four elements in obtaining informed consent – what personal information is being collected, who it is being shared with (including an enumeration of third parties), for what purposes is information collected, used or shared (including an explanation of purposes that are not integral to the service) and what is the risk of harm to the individual, if any.
  • The OPC will draft and consult on new guidance that will explicitly describe those instances of collection, use or disclosure of personal information which we believe would be considered inappropriate from the reasonable person standpoint under subsection 5(3) of PIPEDA (no-go zones).
  • The OPC says that “in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians” and “As for youth aged 13 to 18, their consent can only be considered meaningful if organizations have taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
  • The OPC will encourage industry to develop codes of practice and fund research for the purpose of developing codes of practice to address more particular, sector-specific challenges – presumably a mechanism by which organizations will be able to seek safe harbour.
  • The OPC will make greater use of its power to initiate investigations “where [it sees] specific issues or chronic problems that are not being adequately addressed.”

Then, there’s the OPC’s argument for more enforcement powers. Specifically, the OPC wants Parliament to drop the “reasonable grounds” restriction from its audit power so it can engage in truly proactive audits, it wants the power to levy fines and it wants PIPEDA to feature a private right of action – all of which would invite a departure from the ombudsman model the OPC has operated under since PIPEDA came into force in 2004.

I personally dislike the ombudsman model of enforcement because it doesn’t come with the procedural safeguards associated with more formal enforcement models and can therefore give the ombudsman a frightening degree of “soft” power. This said, the prospect of big fines and lawsuits based on substantive rules that are poorly defined and understood is even more frightening to to those in the business of privacy compliance and defence. This is the irony of the OPC report: at the same time the OPC admits that the substance of the PIPEDA is, at the very least, “challenged” it asks to enforce it with a new hammer. Now going through an admittedly bad experience with CASL – legislation that the OPC would argue is much more “ineffective” than PIPEDA (see p. 34) – we can readily foresee the wasted compliance costs that the proposed change to PIPEDA could invite. Even if business is indeed responsible for the great concern about privacy that the OPC’s polling effort reveals, this is nonetheless a valid position for business to take going forward.

SCC makes a modest point in favouring local court’s jurisdiction over privacy claim

25 Jun

On Friday the Supreme Court of Canada issued its decision in Douez v Facebook. A majority of the Court held that a forum selection clause in Facebook’s terms of use should not be enforced.

Douez is the plaintiff in a proposed class action that alleges Facebook breached the British Columbia Privacy Act by administering its “sponsored stories” advertising program – a program by which Facebook used the name and picture of Facebook members (allegedly without their knowledge) to advertise companies and products to other members on the site and externally. Facebook sought to stay the action based on a clause in its terms of use that stipulated disputes would be resolved in California.

A four judge majority of the Court held that the clause should not be enforced. Three judges in this majority (Karakatsanis, Wagner and Gascon JJ) held that the clause was valid according to contract law principles but, as a matter of policy, should not be enforced. They explained that the two dispostive factors were (1) the “gross inequality in bargaining power” between Douez (a consumer of online services) and Facebook and (2) the interest in local adjudication of privacy disputes – disputes that rest on “quasi-constitutional” rights. Justice Abella joined this group against enforcement of the clause, but held that the clause should not be enforced because it was unconscionable – issuing a broader critique of the means of contracting used by Facebook and most other online service providers.

While the Court did not enforce the contract, the plurality’s view is balanced – making a narrow point about where these types of privacy claims should be heard rather than a more disruptive and general point about the enforceability of online service terms of use.

Douez v. Facebook, Inc., 2017 SCC 33 (CanLII).