Archive | Privacy (Not Workplace) RSS feed for this section

OPC gives guidance, argues for more enforcement power

24 Sep

It’s hard being the Office of the Privacy Commissioner of Canada. The OPC is responsible making sure all is right in commercial sector and federal government sector privacy. It has a pretty small operating budget, yet issues in these sectors are meaty and novel – I dare say harder to deal with than the privacy issues raised in the health and provincial public sectors. More than anything, meeting the OPC mandate is particularly challenging because the mandate is to enforce a principled statute that affords a “right to privacy” that lacks a well-understood meaning.

It is in this context that the OPC issued its 2016-2017 Annual Report to Parliament. The report includes a 24 page “year in review” on PIPEDA that follows the OPC’s public consultation on informed consent and some polling work that shows 90% of Canadians are concerned about their privacy. The OPC concludes that the PIPEDA commercial sector regime is at a crossroads – making some suggestions about new directions, giving some practical guidance and arguing for more enforcement power.

This post is to highlight the most significant new directions and practical guidance and to provide a short comment on the argument for more enforcement power.

The most significant new directions and practical guidance:

  • The OPC will expect organizations to address four elements in obtaining informed consent – what personal information is being collected, who it is being shared with (including an enumeration of third parties), for what purposes is information collected, used or shared (including an explanation of purposes that are not integral to the service) and what is the risk of harm to the individual, if any.
  • The OPC will draft and consult on new guidance that will explicitly describe those instances of collection, use or disclosure of personal information which we believe would be considered inappropriate from the reasonable person standpoint under subsection 5(3) of PIPEDA (no-go zones).
  • The OPC says that “in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians” and “As for youth aged 13 to 18, their consent can only be considered meaningful if organizations have taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
  • The OPC will encourage industry to develop codes of practice and fund research for the purpose of developing codes of practice to address more particular, sector-specific challenges – presumably a mechanism by which organizations will be able to seek safe harbour.
  • The OPC will make greater use of its power to initiate investigations “where [it sees] specific issues or chronic problems that are not being adequately addressed.”

Then, there’s the OPC’s argument for more enforcement powers. Specifically, the OPC wants Parliament to drop the “reasonable grounds” restriction from its audit power so it can engage in truly proactive audits, it wants the power to levy fines and it wants PIPEDA to feature a private right of action – all of which would invite a departure from the ombudsman model the OPC has operated under since PIPEDA came into force in 2004.

I personally dislike the ombudsman model of enforcement because it doesn’t come with the procedural safeguards associated with more formal enforcement models and can therefore give the ombudsman a frightening degree of “soft” power. This said, the prospect of big fines and lawsuits based on substantive rules that are poorly defined and understood is even more frightening to to those in the business of privacy compliance and defence. This is the irony of the OPC report: at the same time the OPC admits that the substance of the PIPEDA is, at the very least, “challenged” it asks to enforce it with a new hammer. Now going through an admittedly bad experience with CASL – legislation that the OPC would argue is much more “ineffective” than PIPEDA (see p. 34) – we can readily foresee the wasted compliance costs that the proposed change to PIPEDA could invite. Even if business is indeed responsible for the great concern about privacy that the OPC’s polling effort reveals, this is nonetheless a valid position for business to take going forward.

Advertisements

SCC makes a modest point in favouring local court’s jurisdiction over privacy claim

25 Jun

On Friday the Supreme Court of Canada issued its decision in Douez v Facebook. A majority of the Court held that a forum selection clause in Facebook’s terms of use should not be enforced.

Douez is the plaintiff in a proposed class action that alleges Facebook breached the British Columbia Privacy Act by administering its “sponsored stories” advertising program – a program by which Facebook used the name and picture of Facebook members (allegedly without their knowledge) to advertise companies and products to other members on the site and externally. Facebook sought to stay the action based on a clause in its terms of use that stipulated disputes would be resolved in California.

A four judge majority of the Court held that the clause should not be enforced. Three judges in this majority (Karakatsanis, Wagner and Gascon JJ) held that the clause was valid according to contract law principles but, as a matter of policy, should not be enforced. They explained that the two dispostive factors were (1) the “gross inequality in bargaining power” between Douez (a consumer of online services) and Facebook and (2) the interest in local adjudication of privacy disputes – disputes that rest on “quasi-constitutional” rights. Justice Abella joined this group against enforcement of the clause, but held that the clause should not be enforced because it was unconscionable – issuing a broader critique of the means of contracting used by Facebook and most other online service providers.

While the Court did not enforce the contract, the plurality’s view is balanced – making a narrow point about where these types of privacy claims should be heard rather than a more disruptive and general point about the enforceability of online service terms of use.

Douez v. Facebook, Inc., 2017 SCC 33 (CanLII).

The Australian “Ben Grubb” decision and its link to Canada

24 Jan

There’s been some talk about the Federal Court of Australia’s recent decision in the “Ben Grubb” case – Mr. Grubb being the journalist who requested and was denied access to certain data related to his mobile phone usage from his carrier. Although the data was linked to Mr. Grubb’s mobile phone usage, the Court held it was not “information about” Mr. Grubb and therefore was not “personal information” that Mr. Grubb could access under the Australia Privacy Act. The Court explained:

…in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

In some instances the evaluative conclusion will not be difficult. For example, although information was provided to Mr Grubb about the colour of his mobile phone and his network
type (3G), we do not consider that that information, by itself or together with other information, was about him. In other instances, the conclusion might be more difficult. Further, whether information is “about an individual” might depend upon the breadth that is given to the expression “from the information or opinion”. In other words, the more loose the
causal connection required by the word “from”, the greater the amount of information which could potentially be “personal information” and the more likely it will be that the words
“about an individual” will exclude some of that information from National Privacy Principle 6.1

In other words, there must be more than a link between information and an individual for the information to be “personal” information. The information must also reveal something “about” the person in a way that engages a reasonable expectation of privacy. I am not sure whether this “guts” the rights provided by the Australia Privacy Act as reported, but this reasoning has been a feature of Canadian law, most notably supported in our Federal Court of Appeal’s Nav Canada case – an authority the Australian court relied upon in determining the outcome of Mr. Grubb’s access request.

Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017).

ONSC awards $15,000 in privacy damages

15 Jan

On December 12th of last year, Justice Fragomeni of the Ontario Superior Court of Justice ordered a man to pay $15,000 in damages to his estranged spouse for surreptitiously installing a camera in a bathroom (prior to separation) to take photos “for a couple of days.” There’s little analysis about liability. Here are the damages factors listed by the Court:

1.   the nature of the intrusion. It took place in a bedroom and bathroom, places which are very private. The privacy interests of Sheth were significant.

2.   the intrusion takes place within a domestic relationship

3.   although Sheth was embarrassed and shocked at the intrusion no medical information was filed to support and establish an evidentiary basis to find any significant effect on Sheth’s health or welfare

4.   the conduct of Patel in lying about the intrusion at his Discovery and even attempting to blame Sheth herself for the camera being installed is extremely aggravating and demonstrates a lack of any insight into what he did as being wrong.

Note also that the photos recovered and tendered in evidence by the plaintiff did not show anything explicit.

Patel v Seth, 2016 ONSC 6964 (CanLII).

SCC says PIPEDA does not constrain a court’s procedural power

19 Nov

The Supreme Court of Canada decided the case of RBC v Trang this week. It held that the Personal Information Protection and Electronic Documents Act does not limit the procedural powers of a court. If a court, based on analysis that is not at all governed by PIPEDA, decides that an order to disclose personal information is warranted, it may issue the order. The order may be complied with notwithstanding PIPEDA.

Here is the ratio in Trang:

As a result of s. 7(3) , PIPEDA does not diminish the powers courts have to make orders, and does not interfere with rules of court relating to the production of records. In addition, PIPEDA does not interfere with disclosure that is for the purpose of collecting a debt owed by the individual to an organization, or disclosure that is required by law. In other words, the intention behind s. 7(3) is to ensure that legally required disclosures are not affected by PIPEDA.

All is right in the world again after the Ontario courts got quite twisted up on a very fundamental question about PIPEDA’s impact on the civil justice system.

The Court also held that debtors implicitly consent to the disclosure of mortgage status information (current balance) to judgement creditors who are seeking to recover a debt. This creates an opportunity for banks to assist judgement creditors without requiring them to obtain a court order. (Might the Court have had the burden of pro forma motions in mind?)

More generally, the Court supported a very flexible, fully-contextual implicit consent standard. This arguably erodes privacy protection and invites uncertainty, but also allows for just and sensible outcomes despite a consent rule in PIPEDA that is otherwise quite strict. Of course, this will feed the current dialogue about whether consent is a meaningful principle by which to govern the protection of personal privacy.

Royal Bank of Canada v. Trang, 2016 SCC 50 (CanLII).

Court approves settlement, limits recovery of class counsel fees

15 Sep

On August 29th, Justice Perell of the Ontario Superior Court of Justice approved settlement of an action brought against Home Depot following a significant 2014 payment card system intrusion. The Court approved a settlement that featured a $250,000 non-reversionary settlement fund for documented claims of “compromise” and an agreement to pay up to $250,000 in credit monitoring. It also denied payment of approximately $407,000 in (docketed) legal fees to class counsel as unjustified, approving instead, payment of $120,000 in fees.

This is a good outcome for organizations exposed to potential class action claims for data security incidents. It was driven by two factors: (1) the Court found the incident was associated with a limited risk of damage; and (2) the Court was impressed by Home Depot’s incident response.

Regarding damage, the Court assessed the risk of damage flowing from a compromise to payment card information and e-mail address information as minimal:

[46] Professor Archer outlined three heads of damage to consumers from a payment card breach:  (1) the risk of a fraudulent charge on one’s credit card; (2) the risk of identity theft; and (3) the inconvenience of checking one’s credit card statements. The so-called non-reversionary Settlement Fund of $250,000 is designed to provide compensation for these heads of damages.

[47] Of the three heads of damage, practically speaking, there is little risk of fraudulent charges because of sophisticated safeguards developed by credit card companies. Moreover, when there are frauds, the losses are almost always absorbed by the credit card company or the retailer. The credit card companies are not Class Members.

[48] In the immediate case, there is no evidence that a Class Member absorbed a fraudulent charge. Neither Merchant Law Group nor McPhadden Samac Tuovi LLP have been contacted by a putative Class Member who said that he or she suffered a financial loss attributable to the data breach.

[49] There is also little risk that the data breach, including the disclosure of email addresses, increased the risk of identity theft, because the stolen data would have been inadequate to allow a criminal to fake another’s identity.

[50] Mr. Hamel’s evidence was that for identity theft, the most important information to have is a government-issued identification number such as a driver’s licence number, social insurance number or passport number and preferably all three. In the immediate case, the data stolen from Home Depot did not include this information.

[51] As for inconvenience damages, in the immediate case, there are none, because credit card holders are already obliged to check their statements for fraudulent purchases.

(Note that the Office of the Information and Privacy Commissioner of Alberta has recognized that the loss of e-mail address is associated with a risk of spear phishing – a risk that is arguably remote.)

Regarding incident response, Home Depot had offered to pay for a number of fraud protection services following the incident – including credit monitoring, identity theft insurance and credit repair services. The Court commented that this reduced the need for behavior modification:

[100] The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.

These two factors led the Court to place little value on the action or the settlement. Justice Perell (who is outspoken), commented, “I would have approved a discontinuance of Mr. Lozanski’s proposed class action with or without costs and without any benefits achieved by the putative Class Members.”

Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (CanLII).

No privacy breach for reporting what’s on the court’s record

2 Sep

On August 10th, the Ontario Superior Court of Justice dismissed a privacy claim brought against the publishers of The Lawyer’s Weekly for reporting on the plaintiff’s involvement in a small claims court proceeding. The Court adopted the following defendant submission:

Further, recent developments in the common law regarding invasion of privacy have fallen well short of the cause of action asserted by Bresnark. On the facts of this case, there is no ‘intrusion upon seclusion’, nor even any disclosure of ‘private facts’. Indeed, the Article is wholly based on public court proceedings and the facts and findings disclosed on the record in those cases. Therefore, the cause of action asserted in paragraph 4 of the statement of claim should be struck as disclosing no cause of action. It is plain and obvious that it has no chance of success.

The Court also dismissed a defamation claim as statute-barred.

Bresnark v Thomson Reuters Canada Limited, 2016 ONSC 5105 (CanLII).