Court says privilege in letters left online waived

On May 5th the Court of Appeal for Newfoundland and Labrador affirmed a finding that a party had waived its solicitor-client privilege in two letters that had been published online.

The letters contained legal opinions to a defendant to an outstanding civil action. They were authored about five and nine years before the action was commenced, but apparently are “highly relevant” to the action. The plaintiffs downloaded the letters from the internet and produced them back to the defendant, which provoked the defendant’s privilege claim.

The defendant had learned the documents were circulating about six months prior to receiving the plaintiffs’ production when contacted by a CBC reporter and one of the plaintiffs (who also posted the letters on her Facebook). It decided not to attempt to take down the letters from the internet because of the expense and, in the Court’s words, because “the genie was out of the bottle and control over the documents would be virtually impossible to maintain.” Strangely, the defendant did not advise its defence counsel of the problem, so defence counsel only asserted privilege after receiving production (again, about six months later).

In these circumstances, the Court of Appeal held that privilege had been waived. Its key findings were as follows:

    • The defendant itself was aware of the publication of the letters well before the plaintiffs produced the letters in the litigation, but did not assert privilege against the plaintiffs. That defence counsel did not know that the letters were circulating until the plaintiffs produced them was irrelevant. Privilege belongs to the client, not its counsel.
    • Plaintiff counsel’s act of downloading of the letters from the internet for use in the litigation ought not be presumed to be improper. Although the Court confirmed that opposing counsel are obliged not to take advantage of an inadvertent disclosure of privileged communications, in this case the letters were somewhat old and it appears that the existence of an inadvertent disclosure was simply not reasonably apparent.
    • It was not wrong for the application judge to consider the lack of evidence about safeguarding efforts in deciding the waiver issue against the defendant: “A privilege-holder ought to be able to provide some evidence of how the privileged documents were safe-guarded to protect the privilege for it is within its power to do so.”

This is a careful judgement that’s directed at the facts. In my reading of it, the Court leaves some (though perhaps limited) room to assert privilege against an opposing party in litigation even though documents make their way inadvertently to the internet and are left there because “the genie is out of the bottle.”

Federation of Newfoundland Indians Inc. v Benoit, 2020 NLCA 16 (CanLII).

Privacy claim against documentary makers dismissed

On April 23rd, the Ontario Superior Court of Justice dismissed two privacy claims brought against the makers of a documentary – one based on the misappropriation of personality tort and the other based on the intrusion upon seclusion tort.

Wiseau (and others) brought the claims against the makers of a movie called Room Full of Spoons – a documentary about Wiseau and his own infamous movie, The Room. The Room has become notorious as one of the worst movies ever made. Room Full of Spoons disclosed Wiseau’s birthdate, birth name and place of birth, facts available to the public but not widely known, in part because Wiseau’s cultivation of mystery about his background.

Wiseau aggressively objected to the release of Room Full of Spoons, according to the Court, in part because he held a financial interest in a competing film. He obtained an injunction in 2017 that was held to have been improperly obtained, leaving Wiseau on the hook for $750,000 in damages.

In addition to making this damages order, Justice Schabas wrote a lengthy judgement that adresses fair dealing and related copyright issues, a passing off claim and various pre-trial and trial procedure issues. I’ll just address his disposition of the two privacy claims.

Justice Schabas dismissed the misappropriation of personality claim because Wiseau was a public figure who cultivated interest (and mystery) in his personality. The defendants’ use of Wiseau’s image to promote Room Full of Spoons (which was limited) was therefore not actionable. Justice Schabas followed Gould Estate, and held that use of Wiseau’s image served the purpose of contributing accurate information “to the public debate of political or social issues or of providing the free expression of creative talent” and was not primarily a means of “commercial exploitation.”

Justice Schabas dismissed the intrusion upon seclusion claim for reasons unrelated to the defendants’ right of expression, finding no “highly offensive” intrusion at all:

Wiseau has failed to make out the elements of the tort in this case.  No personal details of the kind referred to in Jones v. Tsige were disclosed by the defendants. Rather, what was disclosed was Wiseau’s birthplace, his birthdate, and the name he was given at birth and had as a child in Poland. This information was available from public sources, which is how the defendants obtained and confirmed it. Wiseau may be sensitive about this information because he has cultivated an aura of mystery around it, but disclosure of these facts is not, objectively speaking, something which can be described as “highly offensive.”

The idea that Wiseau’s privacy claim could not be sustained because his information was publicly available is significant, though consistent with traditional notions of privacy and confidentiality.

Wiseau Studio, LLC et al. v. Harper et al., 2020 ONSC 2504 (CanLII).

Cyber, secrecy and the public body

Here’s a copy of a presentation I gave yesterday at the High Technology Crime Investigation Association virtual conference. It adresses the cyber security pressures on public bodies that arise out of access-to-information legislation, with a segment on how public sector incident response differs from incident response in the private sector

IPC/Ontario determines what’s reasonable to include in a drug prescription

On April 20th, the IPC/Ontario held that it is reasonable to include a patient’s first and last name, address, telephone number and date of birth on an Ontario drug prescription.

First name, last name, address and telephone number can be included as primary identifiers, with the telephone number element also enabling communication. The IPC accepted that date of birth can also be included because it is an immutable identifier (unlike address and phone number) and also contributes the prevention of dosing errors (because dosage can depend on age).

The IPC also held that OHIP number can be included on prescriptions for controlled substances because it is required by section 5 of Ontario Regulation 381/11.

Women’s College Hospital (Re), 2020 CanLII 31115 (ON IPC).

Ont CA – reasonable expectation of privacy turns on potential for secondary use

The Court of Appeal for Ontario issued a judgement yesterday that highlights the potential for secondary use of collected data as a factor that weighs in favour of privacy protection.

The police swabbed the door handle of a car that was parked in public to test for cocaine residue. The Court found a reasonable expectation of privacy that rendered the search – which was done without judicial authorization – unlawful.

While holding that physical contact with the car was “a factor,” the Court de-emphasized the significance of physical contact with a chattel:

Too narrow a focus on whether there was a trespass to a chattel, and the extent of interference with use of that chattel, could obscure the privacy interests at stake, as here, where the trial judge focused on the fact that the taking of the swabs had no impact on the appellant’s use of the car and was not known to him.

Compare this to the United States Supreme Court finding in United States v Jones, in which a majority held that the trespass committed by police who install a GPS tracking device on a vehicle is the trigger to constitutional privacy protection.

The Court of Appeal for Ontario’s analysis rested more heavily on the potential for using the swab sample for purposes more intrusive than testing for cocaine residue:

These swabs presumably revealed whether the appellant had handled cocaine. I also agree with the observations in Wong, at para. 27, that privacy concerns are heightened because the swabs may also provide DNA samples for analysis by police, even if that is not why they were initially collected, or what they were used for. Patrick concerned police searches of a suspect’s curb-side garbage. Though the police were searching for evidence of drug offences, the potential for collection of DNA was also relevant to the privacy analysis: see para. 30. The court also expressed scepticism of the notion that privacy concerns are diminished because the search was targeted at contraband: see Patrick, at para. 32; see also A.M., at para. 73.

Search methodologies can be so targeted as to become defensible. The Supreme Court of Canada’s Tessling case, for example, suggests that capturing a heat signature emanating from a residence is unobtrusive because it reveals criminal activity in the house – an illegal grow op – and not much else. The majority in Tessling expressly said that a search should not be judged based on “theoretical” secondary uses. In this case, the potential for secondary use was real.

Hat tip to Fred Schumann of Stockwoods.

R. v. Wawrykiewycz, 2020 ONCA 269.

 

Ont CA says bag search unlawful, order $500 in damages

On April 16th, the Court of Appeal for Ontario held that the Toronto Police breached sections 2(b), 8 and 9 of the Charter by enforcing a “condition of entry” to a public park because they were not properly authorized to establish the condition.

The City of Toronto had authorized the police to act as its agents “for the purpose of administering the Trespass to Property Act.” Acting under this authority, the police decided to search bags (and all other things in which weapons could be concealed) possessed by those attending a G20 protest at Allan Gardens. The appellant took issue with the legality of this “condition of entry.” The police restrained him when he refused to comply, searched his bag and confiscated a pair of swim goggles. You can see a video of the altercation here.

The Court of Appeal decision turned on text of the grant of authorization, which the Court held was too narrow given the Trespass to Property Act only provides property owners and occupiers with “a suite of enforcement powers” and not a power to create restrictions on access to property. It said, “The jurisprudence consistently takes a rigorous approach when interpreting the sources of legal authority relied upon by government to encroach upon the liberty of the subject.”

The Court ordered the police to pay $500 in damages. It said the appellant (who drew attention to his fate during the altercation and afterwards) did not establish any reputational or other personal loss. The Court also noted that the police acted in good faith with a view to the safety of the public.

Stewart v Toronto (Police Services Board), 2020 ONCA 255 (CanLII).

FCA revives longstanding test for protective orders in IP disputes

On February 17th, the Federal Court of Appeal re-clarified that protective orders ought to be granted based on the test set out in AB Hasslei.e., when “the moving party believes that its proprietary, commercial and scientific interests would be seriously harmed by producing information upon which those interests are based.” It held that the application of the more restrictive test for confidentiality orders set out in Sierra Club was not warranted.

Canadian National Railway Company v BNSF Railway Company, 2020 FCA 45 (CanLII).

No privacy breach for publishing information about a provincial offences conviction

Late last year the Ontario Superior Court of Justice issued judgement in a hard-fought dispute between residential neighbours. After an 11-day small claims court trial (!) the Court allowed one neighbour’s privacy breach claim and dismissed the other’s.

The Court allowed a claim against the defendants for directing surveillance cameras and motion-activated floodlights at the plaintiffs’ property as part of a deliberate campaign of harassment. It awarded each plaintiff $8,000, noting evidence of “significant stress and irritation.” The Court also awarded each plaintiff $500 on account of their exposure to “obstructive parking.”

The successful plaintiffs tended to the high road, at one point returning the defendants’ stray dog in an act of neighbourliness. They did, however, publicly post a document that detailed a Provincial Offences Act conviction of one of the defendants. (They said did so to give their prying-eyed neighbours “something to look at.”) The Court dismissed a counterclaim based on this publication, explaining:

Convictions and sentences imposed by courts of law are events which occur in public and are publicly-available information.  The fact that some third party has posted such facts on the internet makes them all the more public.  I am unable to accept the defence submission, unsupported by authority, that for Mr. Cecchin to find and post this information constitutes an actionable invasion of privacy.  Such a conclusion would be inconsistent with the definition pronounced by Sharpe J.A. in Jones v. Tsige (2012), 2012 ONCA 32 (CanLII), 108 O.R. (3d) 241 (C.A.), at para. 70.  The conviction and sentence cannot be viewed as Mr. Bradbury’s “private affairs or concerns”.  Nor would a reasonable person regard the search for or publication of the outcome of legal proceedings as “highly offensive.”

In a similar vein, the Court dismissed a counter-claim that alleged the plaintiffs committed a privacy violation by writing a letter to other neighbours drawing their attention to the defendants’ non-compliance with municipal bylaws. It said that the claim was untenable as one that attacked, “an exercise of free speech, of local political action and participation in the municipal legal process.”

Cecchin v Lander, 2019 CanLII 131883 (ON SCSM).

UKSC decides data thief was on a “frolic of his own”

The Supreme Court of the United Kingdom has decided an important vicarious liability case in favour of a company whose rogue employee stole payroll information and posted it online.

The company entrusted the employee with payroll data pertaining to over 120,000 of its employees to facilitate an audit. The employee – who was still aggrieved about some discipline the company had earlier imposed – passed the data to the auditor as instructed, but kept a copy and posted it online as part of a personal vendetta.

As in Canadian law, United Kingdom law deems employers to be responsible for the wrongful acts of their employees that are not authorized if there is a “sufficient connection” between the wrongful act and the work that is authorized. The creation of “opportunity” to commit the wrong is a factor, and the analysis is to be conducted with a view to the policy-implications, leading some to argue that data security concerns justify broadly-imposed vicarious liability.

Nonetheless, the Court held that cause (or the creation of opportunity) was not enough to warrant this employer’s liability for its employee’s data theft. That is, the employee’s theft (and his public disclosure) was caused by the company’s provision of data to the employee, but the employee was still motivated to harm the employer and “on a frolic of his own” that did not warrant employer liability.

WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondent), [2020] UKSC 12.

 

Hackers, hacking and cybersecurity for kids

Many of you know Dustin Rivers and Chris Lutz of the Public Service Information Community Connection, who run some of our major Canadian privacy conferences. Like the great entrepreneurs they are, Dustin and Chris have put together an online kids camp for delivery to COVID-sequestered kids from across the globe!

I volunteered as a camp instructor and just did this presentation. It was fun, and  a great exercise to reduce the subject matter I deal with in a far different context to something that could be understood by six to ten year olds! Not only that, my son and I created the deck together – more learning.

Here’s the deck. Next time I’ll record!