Sask C.A. Opines on Elements of Statutory Privacy Tort

On March 15th, a majority the Saskatchewan Court of Appeal affirmed a decision not to strike a pleading that was based on the Saskatchewan Privacy Act.

The case is about a Saskatchewan Power Corporation customer service representative who accessed account information for personal reasons. The account holder sued and the defendants, in response, moved to strike. The defendants argued that the plaintiff did not plead facts necessary to establish that the information at issue was of a quality protected by the Act. The ratio of the majority decision (written by Justice Ottenbreit) is summarized in the following paragraph:

The wording of the Act arguably does not require that a claim alleging a breach of privacy respecting information must necessarily plead that the information accessed is confidential or reveals intimate details of the lifestyle and personal choices of the plaintiff. This is not to say that the Act does not make the accessing of such information actionable and that certain Charter concepts of privacy and Charter analysis would not be apt in a particular case. To what extent Charter concepts and a Charter approach would be helpful remains to be determined. What is clear is that the Charter concept of reasonable expectation of privacy and its corollary concepts are arguably not congruent with the “privacy” or an “expectation of privacy”, the violation of which is actionable under the Act. Based on an examination of the Act, pleadings in terms of Charter concepts of reasonable expectation of privacy are arguably not therefore essential to a claim under the Act. The argument of SPC that the pleading is deficient because it lacks sufficient facts which would allege a violation of an expectation of privacy identical or very similar to the Charter concept fails.

Justice Ottenbreit said that it was enough for the plaintiff to plead that the individual defendant accessed her employer’s records “to obtain information about [the plaintiff’s] activities” for her own purposes.

Justice Smith dissented. She held that, at a minimum, a plaintiff claiming breach of an informational privacy right based on the Saskatchewan Privacy Act must plead facts to establish that the information at issue is “personal and confidential.”

Bigstone v. St. Pierre, 2011 SKCA 34 (CanLII).

Majority of Alberta CA Slaps OIPC on Driver’s License Case

On March 28th, a majority of the Alberta Court of Appeal held that the OIPC erred in finding that receiving and recording driver’s license and license plate numbers for security-related purposes is a breach of Alberta PIPA. This is a significant and business-friendly judgement on how to interpret private sector privacy legislation. It also demonstrates a wide gap in values between our privacy commissioners and some members of the judiciary.

Justice Slatter wrote for the majority, with a concurrence by Justice Berger. Justice Slatter held that the OIPC erred in finding that license plate numbers are personal information and erred in finding that that Leon’s failed to comply with the standard for collecting personal information under Alberta PIPA by recording the driver’s license and license plate numbers of individuals who picked up furniture.

Notwithstanding that Leon’s used license plate numbers as a backup means of identifying individuals, Justice Slatter held that license plate numbers are not an individual’s personal information because license plate number are only information “about” or “related to” a vehicle. He said, “The Act is designed to regulate and protect information that is uniquely connected to one person.” He also interpreted the meaning of personal information in light of the normative “reasonable expectation of privacy” concept, noting that there is no reasonable expectation of privacy in a license plate number because it is displayed openly in public.

Regarding whether the recording of driver’s license and license plate numbers is justifiable under the standard for collection in Alberta PIPA, Justice Slatter held that the OPIC’s finding was improperly influenced by a belief that the Alberta PIPA makes privacy rights paramount to an organization’s need to collect information. He held that this was inconsistent with the purpose provision of Alberta PIPA, which expressly recognizes the need of organizations to collect personal information for purposes that are reasonable. In light of this recognized need, Justice Slatter stressed that the standard for collecting personal information under Alberta PIPA is not a strict necessity standard. He referred to a “reasonable necessity” requirement given section 7(2) of Alberta PIPA requires that a mandatory collection of personal information must be limited to “what is necessary to provide [a] product or service,” but Justice Slatter makes clear that the overall reasonableness of a collection should be the focus of the inquiry. This led him to state, “As long as fraud is a meaningful risk in the business, and the policies adopted have a meaningful effect on preventing or detecting fraud, those policies would be considered ‘appropriate in the circumstances’ by reasonable people.”

Justice Conrad wrote a lengthy and detailed dissent. She disagreed with the majority on whether license plate numbers are personal information and on whether the recording of driver’s license and license plate numbers is justifiable for security-related purposes.

Regarding the personal information issue, Justice Conrad relied heavily on Justice LaForest’s dissenting judgement in Dagg v. Canada and the Ontario Court of Appeal’s judgement in Ontario v. Pascoe. In Dagg, Justice LaForest argued that “the information about an identifiable individual” condition in the definition of personal information should be construed broadly. In Pascoe, the Ontario Court of Appeal held that information is about an identifiable individual if it is about and individual who can be identified when the information is combined with information from “sources otherwise available.” Justice Conrad also held that the reasonable expectation of privacy concept should not be applied in assessing whether information is protected under statute as “personal information.”

On the justification for collection issue, Justice Conrad stressed the governing reasonableness standard of review, though she did expressly disagree with the majority’s suggestion that necessity is not part of the standard for collection under Alberta PIPA.

The Court’s discussion of both these issues, especially the personal information issue, is very significant, but the context is also notable. The Alberta OPIC has had a tough go in the Alberta Courts lately, most recently having a decision quashed for reasonable apprehension of bias. It certainly did not go out on a limb here given its position against the recording of driver’s license numbers is shared (at least) by the federal and Ontario commissioners, yet it lost on the reasonableness standard of review in a manner that must feel like a good slap. Look for an appeal.

Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94 (CanLII).

No Invasion of Privacy Tort in Ontario

The Ontario Superior Court of Justice issued a significant judgment today in which Justice Whitaker held that Ontario law does not recognize a common law invasion of privacy tort. More specifically, he held that he was bound by the Court of Appeal’s 2005 judgment in Euteneier v. Lee, in which the Court commented that there is no “free standing” right to privacy in assessing a privacy-related claim by a police detainee that was based in negligence, assault, civil conspiracy and the Charter. Justice Whitaker said:

While it is certainly the case that in Euteneier, the plaintiff was not suing on the basis of an intentional tort, the extent to which privacy rights are enforceable at law was squarely before the court for the purposes of determining the content of the duty of care owed by the police to the plaintiff while in custody. In my view, the inescapable conclusion, put quite plainly by the Court of Appeal in paragraph 63 of that decision, is that “there is no ‘free standing’ right to… privacy… at common law.”

Justice Whitaker departed from the Court’s well-known decision in Somwar v. McDonald’s Restaurants of Canada. Justice Stinson decided Somwar shortly after the Court of Appeal decided Euteneier and did not consider it in finding (on a summary judgment motion) that it is not settled law in Ontario that there is no tort of invasion of privacy.

Alex Cameron acted for the defendant.

Jones v. Tsige, 2011 ONSC 1475.

Alberta CA Addresses Jurisdiction to Consider Alleged Privacy Breach by Privacy Commissioner

On February 3rd, the Alberta Court of Appeal considered who has jurisdiction to consider an alleged privacy breach by the Alberta Office of the Information and Privacy Commissioner. It held that the proper means to allege a breach of the OPIC’s confidentiality duty in the Alberta Personal Information Protection Act is by filing an application for judicial review and not by seeking appointment of a special adjudicator under the Alberta Freedom of Information and Protection of Privacy Act.

The complainant first filed a complaint to the OPIC under PIPA. He later took issue with the OIPC itself when it copied the respondents on a letter dismissing his complaint as constituting an abuse of process. The complainant alleged a breach of section 41 of PIPA, which imposes a duty of confidentiality on the OPIC that expressly permits disclosures that are necessary for the purposes of conducting an investigation and inquiry. He sought and obtained an order appointing a special adjudicator to investigate a complaint against the Commissioner under provisions allowing for such an appointment in the Alberta FIPPA.

The Court of Appeal held that the adjudicator did not have jurisdiction to hear the complaint because of an exclusion provision in Alberta FIPPA for “a record that is created by or for or is in the custody or under the control of an officer of the Legislature and relates to the exercise of that officer’s functions under an Act of Alberta.” The Court held that the adjudicator (deciding on his own jurisdiction) and the reviewing judge erred by finding that this provision excluded certain records from the right of public access but did not exclude complaints about the disclosure of personal information in such records. It held that absolute exclusion was supported by the plain language of the exclusion and a contextual reading of the exclusion. It commented on the appropriate remedial path as follows:

However, some recourse does exist in situations where the Commissioner has allegedly improperly disclosed confidential information. He acknowledges that his actions are subject to judicial review, that he may face an action based on abuse of public office given his role as a public official and, also, that he is subject to sanction or removal by the legislature should he engage in improper conduct. That said, somewhat ironically, s. 4(1)(d) protects him from the operation of the same statutory complaint mechanisms as apply to others should he improperly disclose confidential information. This result concerned the Adjudicator and the reviewing judge. If it applied, such a mechanism would provide less expensive, cumbersome and uncertain recourse than that available through judicial review or removal from office by the legislature. However, had the legislature wished the Commissioner to be subject to the same sanctions as other people, it could have included an express provision in FOIPPA to create that result while nonetheless protecting him from release of information properly required in the exercise of his functions.

The Court also held that the adjudicator and reviewing judge erred by grounding jurisdiction in section 77 of the Alberta FIPPA, which grants a right to review certain decisions of the Commissioner when acting as head of the OIPC. It held that the Commissioner does not act as head of the OPIC when exercising his adjudicative functions.

The Court’s interpretation of the records-based exclusion has some significance given the existence of similarly worded exclusions in other public sector access and privacy statutes.

Alberta (Information and Privacy Commissioner) v. Alberta (Freedom of Information and Protection of Privacy Act Adjudicator), 2011 ABCA 36 (CanLII).

Party complains about receiving confidential information of non-parties. What next?

On January 24th, the Ontario Superior Court of Justice held that a plaintiff did not breach the deemed undertaking rule by complaining to a professional body (the Institute of Chartered Accountants of Ontario) that the defendants had produced documents containing their former clients’ confidential information.

Though the Court doubted that the plaintiff’s motives were pure, it held that he did not breach the deemed undertaking rule because his use of the production was done with the affected clients’ consent. The Court stressed that it was not deciding whether the defendants’ production was proper, but also said that a privacy-related complaint about producing documents pursuant to the Rules is “remarkable on its face.”

Two questions: (1) Is the deemed undertaking finding consistent with case law that recognizes that the undertaking gives rise to a duty owed to the court for the benefit of the parties? (2) Were the clients’ identities relevant, or could identifying information have been redacted without causing an improper production?

Martenfeld v. Collins Barrow Toronto LLP, 2011 ONSC 441 (CanLII).

.

Party complains about receiving confidential information of non-parties. What next?

On January 24th, the Ontario Superior Court of Justice held that a plaintiff did not breach the deemed undertaking rule by complaining to a professional body (the Institute of Chartered Accountants of Ontario) that the defendants had produced documents containing their former clients’ confidential information.

Though the Court doubted that the plaintiff’s motives were pure, it held that he did not breach the deemed undertaking rule because his use of the production was done with the affected clients’ consent. The Court stressed that it was not deciding whether the defendants’ production was proper, but also said that a privacy-related complaint about producing documents pursuant to the Rules is “remarkable on its face.”

Two questions: (1) Is the deemed undertaking finding consistent with case law that recognizes that the undertaking gives rise to a duty owed to the court for the benefit of the parties?(2) Were the clients’ identities relevant, or could identifying information have been redacted without causing an improper production?

Martenfeld v Collins Barrow Toronto LLP, 2010 ONSC 598.

The Pitfalls of Accessing Private Emails

Here’s a link to a Law Times article, reviewing an interesting decision recently released by the B.C. Supreme Court, which awarded damages for improper publication of the plaintiff’s personal emails.  The parties were former spouses who were already engaged in extensive family law litigation — which sets the unfortunate and messy backdrop for the privacy-related litigation.  The defendant husband published a number of defamatory comments about his ex-wife, by way of emails and internet postings.  He included references to private email exchanges of his former spouse, and which he discovered on an old home computer.

The Court concluded that the defendant had “taken his battle with [his ex-wife] over custody and access far outside the ordinary confines of the family court litigation.”  In addition to defaming his ex-wife, the defendant was found to have breached her privacy by publishing the contents of her private emails.  As a result, he was ordered to pay damages of $40,000 for breach of privacy and defamation.

The breach of privacy aspect of the decision flows from B.C.’s Privacy Act, which creates an express statutory recourse for privacy violations.  Other jurisdictions, including Ontario, have not adopted such statutory causes of action for violation of privacy, so courts in those jurisdictions would not necessarily arrive at the same result.  However, some cases have suggested that there may be a common law tort for invasion of privacy, which could form the basis for similar claims.

The decision provides a reminder of the need to be prudent in accessing – and certainly in publishing – emails in respect of which there is a right or an expectation of privacy.

Also a good reminder of the wisdom of avoiding family law litigation!

Court of Appeal considers privacy expectation of regulated businesses

In R v. Clothier, 2011 ONCA 27, the Court of Appeal for Ontario held that the “entrapment” defence did not apply to the regulatory offence of a store clerk selling cigarettes to a minor in violation of the Smoke Free Ontario Act.  The minor was a “test shopper” for the local tobacco enforcement agency.  The clerk argued that this was entrapment.  The Court held that entrapment did not apply and that government authorities can use random test shopping to monitor compliance with the Act.  Of interest from a privacy point of view is the Court’s statement that regulated businesses should expect monitoring as a consequence of doing business:

First, these stores operate in a regulated commercial environment, and operating in this regulatory environment comes with consequences.  As Cory J. said in Wholesale Travel, at p. 229: “… those who choose to participate in regulated activities have, in doing so, placed themselves in a responsible relationship to the public generally and must accept the consequences of that responsibility.”

Stores selling tobacco and their employees have this responsibility to the public.  One important consequence of this responsibility is their deemed acceptance of an undertaking to exercise reasonable care to ensure that the harm identified in the regulatory statute – here selling tobacco to minors – does not occur.  This entails a further
consequence.

Those who sell tobacco products must accept a greatly diminished expectation of privacy, as some form of monitoring will be necessary to ensure that they meet their due diligence responsibilities. The monitoring is done, not to punish past conduct, as would be the case for an offence under the criminal law, but to deter harmful conduct in the future – in other words, to prevent harm to the public from the illegal sale of tobacco to
minors.

We recognize entrapment as a defence in criminal law because of our concern that random virtue testing will result in too great an invasion of personal privacy. That rationale simply does not apply in this regulatory context.

This is an interesting analysis in that it refers both to a diminished “expectation” of privacy and a diminished concern with the “invasion” of privacy in a particular context.

Banks prohibited by PIPEDA from disclosing mortgage discharge statement

In an interesting decision released today, the Ontario Court of Appeal held in Citi Cards Canada Inc. v. Pleasance, 2011 ONCA 3, that PIPEDA prohibits banks from disclosing mortgage discharge statements to a third party.

Citi had a credit card debt against Pleasance and sought to enforce judgment through a sheriff’s sale of Pleasance’s home.  But the sheriff would not act without mortgage discharge statements, which the banks refused to provide on the basis that disclosure would be in breach of privacy rights under PIPEDA.  The Court called this a “knotty and interesting question”, but upheld the lower court decision prohibiting disclosure.  The Court held that mortgage discharge statements contain “personal information” which is not publicly available, that Citi’s interests (as a third party) are not factored in the balancing of interests under PIPEDA, and that Citi could have pursued alternate remedies through a judgment debtor exam or order in aid of execution.

A link to the decision is here.