Ontario electronic monitoring bill coming

We’re getting numerous questions today about Ontario’s move to implement a electronic monitoring legislation.

We have no bill yet, but the announcement says:

The policy would need to contain information on whether the employer electronically monitors its workers, and if so, a description of how and in what circumstances the employer does this. In addition, the employer would need to disclose the purpose of collecting information through electronic monitoring.

The devil is in the detail, but this seems painless enough. There is nothing to indicate the Bill will impose a limit on monitoring, which is permitted by law and entirely unregulated in Ontario right now. Notice is a good practice, employed by many already, and can help cleanse networks of personal data that does get lost and stolen and that can complicate investigations and audits.

It will be important to see how monitoring is defined, and whether it is confined to endpoint monitoring or is likely to capture all the various means by which network data is captured and analyzed. There is a trend towards endpoint monitoring by the way, now arguably a network security best practice.

Let’s hope we get a bill that’s as benign as it has first appeared.

UKSC recognizes the frailty of collective judgement and protects the privacy of investigative subjects

Earlier this week. the Supreme Court of the United Kingdom held that, as a “legitimate starting point,” persons under investigation by law enforcement have a reasonable expectation of privacy in the fact they are suspected of a crime and any expressed basis for that suspicion.

The Court affirmed an award of privacy tort damages made to a former CEO of a publicly traded company who United Kingdom authorities suspected of various financial crimes. He successfully sued Bloomberg, who had published an article with details about the investigation after Bloomberg had been leaked a copy of a letter of request that the authorities had sent to another state in furtherance of their investigation.

To sue for misuse of information in the UK one must first establish that they have a reasonable expectation of privacy in the relevant information. As in our Charter jurisprudence, the test is contextual and requires an examination of all the circumstances.

The Court said this does not preclude recognition that certain classes of information are, as a starting point, private enough to warrant protection. It held there is growing recognition of the harms faced by those suspected (but not yet charged) of crimes and made its protective finding, pointing out that some circumstances will weigh against an expectation of privacy. An arrest that follows public rioting, the Court said, would not (ordinarily) attract an expectation of privacy.

The Court said the rationale for its starting point is the potential for damage to reputation, which it tied to the right of privacy as follows:

Fifth, the rationale for such a starting point is that publication of such information ordinarily causes damage to the person’s reputation together with harm to multiple aspects of the person’s physical and social identity such as the right to personal development, and the right to establish and develop relationships with other human beings and the outside world all of which are protected by article 8 of the ECHR: see Niemietz v Germany (Application No 13710/88) (1992) 16 EHRR 97, para 29. The harm and damage can on occasions be irremediable and profound.

Despite linking the right of privacy to the protection of reputation, the Court nonetheless held that defamation law’s recognition that the ordinary reasonable reader is capable of distinguishing suspicion from guilt is irrelevant to the resolution of a privacy claim. Rather, it took notice of the profound impact that the publication of suspicions can have on individuals despite the criminal justice system’s presumption of innocence.

The presumption of innocence is a legal presumption applicable to criminal trials. In that context the presumption weighs heavily in the directions that a jury is given or in the self-directions that a judge sitting alone applies. However, the context here is different. In this context the question is how others, including a person’s inner circle, their business or professional associates and the general public, will react to the publication of information that that person is under criminal investigation. All the material which we have set out between paras 80-99 above now admits to only one answer, consistent with judicial experience, namely that the person’s reputation will ordinarily be adversely affected causing prejudice to personal enjoyment of the right to respect for private life such as the right to establish and develop relationships with other human beings. Accordingly, we reject the submission that a general rule or starting point is unsound because it significantly overstates the capacity of publication of the information to cause reputational and other damage to the claimant given the public’s ability and propensity to observe the presumption of innocence.

The Court did not mention the internet or the so-called “cancel culture” phenomenon, though its judgement is responsive to a very similar concern. It understands that we may shun those who are the subject of criminal suspicion while offering them a measure of protection from these “unfair” harms.

Bloomberg LP (Appellant) v ZXC (Respondent), [2022] UKSC 5.

The perils of e-mail attachments and privilege claims

The Court of Appeal for Saskatchewan issued a freedom of information judgement last week that illustrates a good practice point for FOI practitioners: claim privilege over privileged e-mails and their attachments together.

“Record 1” was an e-mail sent to Ministry legal counsel for the purposes of obtaining legal advice about its attachments. Though part of the privileged communication, the Ministry indexed the attachments as “Record 2” and “Record 3.” It claimed that the attachments were privileged, and also exempt pursuant to the Saskatchewan exemption for “information obtained in confidence from other governments.”

By making its exemption claims in this way, the Ministry revealed that it sought legal advice on communications (and information) it received from other governments. Is it any surprise, then, that the Court affirmed a finding that the attachments were not protected by solicitor-client privilege?

While viewing the Court’s finding is understandable, I don’t agree that it is correct. The attachments to (privileged) Record 1 are clearly part of a privileged communication. As part of that communication (and not necessarily on their own), the attachments are privileged. The Ministry ought to have better protected its privilege by indexing Record 1 in its entirety and, if Records 2 and 3 were responsive on their own, indexing each separately.

Saskatchewan (Ministry of Health) v West, 2022 SKCA 18 (CanLII).

A call to modernize public sector privacy statutes without inviting litigation

The wave of public sector reform is coming, so it’s time to start thinking and talking about they best way achieve strong privacy protection in the Ontario public sector. I had the honour of participating the University of Toronto’s Privacy Day celebration yesterday, including by sitting on a panel and giving the short prepared remark below. I’m all for privacy protection and modernization, but the implementation of administrative monetary penalties in the Ontario public sector (like now in Quebec) would fundamentally change the relationship between the Ontario public sector and its regulator and not serve the public or education sectors well.

Cyber class action claims at an inflection point

Yesterday, I happily gave a good news presentation on cyber claims legal developments to an audience of insurance defence lawyers and professionals at the Canadian Insurance Claims Managers Association – Canadian Independent Adjusters’ Association – Canadian Defence Lawyers joint session.

It was good news because we’ve had some recent case law developments create legal constraints on pursuing various common claims scenarios, namely:

  • The lost computer, bag or other physical receptacle scenario – always most benign, with notification alone unlikely to give rise to compensable harm, a trial judgement looking positively at a one year credit monitoring offer and proof of causation of actual fraud a long shot at best
  • The malicious outsider scenario – for the time being looking like it will not give rise to moral damages that flow from an intentional wrong (though this will be the subject of an Court of Appeal for Ontario hearing soon in Owsianik)
  • The malicious insider scenario – partly addressed by a rather assertive Justice Perell finding in Thompson

We’re far from done yet, but as I say in the slides below, we’re at the early stages of an inflection point. I also give my cynical and protective practical advice – given the provable harms in the above scenarios flow mainly from the act of notification itself, notify based on a very strong analysis of the facts and evidence; never notify because there’s a speculative risk of unauthorized access or theft​. Never a bad point to stress.

Privacy and the pandemic

I spoke today at the Schedule 2 Employers’ Group virtual speakers series about privacy and the pandemic. It was a good chance to describe all of the ways we use information to manage the risk of workplace exposure to COVID-19. We looked closely at the major information flows – screening, location tracking, exposure notification – and I even did a little riff on defense in depth. Slides below for your viewing pleasure.

Cyber security for the regulator and regulated

On Monday I addressed an audience a the Ontario Regulatory Authorities continuing professional development conference on the topic of cybersecurity. It was a good chance to record an updated and concise view of the Canadian threat environment along with the cyber defence and incident response issues facing Canadian organizations. Here are the slides for your reading pleasure.

The union right of access to information

I’ve done a fair deal of enjoyable work on matters relating to a union’s right of access to information – be it under labour law, health and safety law (via union member participation in the health and safety internal responsibility system) or via freedom of information law. Today I had the pleasure of co-presenting to the International Municipal Lawyers Association on the labour law right of access with my colleague from the City of Vaughan, Meghan Ferguson.

Our presentation was about how the labour law right has fared against employee privacy claims. In short, it has fared very well, and arguably better in Ontario than in British Columbia.

I don’t believe the dialogue between labour and management is over yet, however, especially as unions push for greater access at the same time privacy sensitivities are on the rise. The advent of made-in-Ontario privacy legislation could be an impetus for a change, not because it is likely to provide employees with statutory privacy rights as much as because the new legislation could apply directly to unions. So stay tuned, and in the interim please enjoy the slides below.

What’s not to say about Sherman Estate?

We all know that the Supreme Court of Canada decided Sherman Estate v Donavan on June 11th. I just got to it today, and was surprised at its significance to information and privacy law beyond the open courts principle itself. Here is a quick note on its three most salient broader points.

The Court held that records filed in court by estate trustees seeking probate ought not to have been sealed given the presumption of openness that applies to all court proceedings. In doing so, however, it recognized for the first time that privacy alone (whether or not it encourages access to justice) could be “an important public interest” that warrants a departure from the presumption.

Point one – sensitive information is information linked to the biographical core

Most significantly, the Court said that not any privacy interest will qualify. Privacy is such a subjective, difficult and confused concept that many individuals with genuinely felt “sensibilities” must be precluded from claiming that their privacy interest weighs against the openness of a court proceeding. A privacy interest only qualifies as “an important public interest” if the information at stake is “sufficiently sensitive such that it can be said to strike at the biographical core of the individual.”

The biographical core is a concept first articulated in R v Plant in 1993 and has since been criticized by privacy advocates as a concept that limits privacy protection. Yet here it is, front and centre as the limitation on privacy that will now protect the transparency of our justice system. The Court links the biographical core to the protection of human dignity, as it explains in the following paragraph:

Violations of privacy that cause a loss of control over fundamental personal information about oneself are damaging to dignity because they erode one’s ability to present aspects of oneself to others in a selective manner (D. Matheson, “Dignity and Selective Self-Presentation”, in I. Kerr, V. Steeves and C. Lucock, eds., Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society (2009), 319, at pp. 327‑28; L. M. Austin, “Re-reading Westin” (2019), 20 Theor. Inq. L. 53, at pp. 66‑68; Eltis (2016), at p. 13). Dignity, used in this context, is a social concept that involves presenting core aspects of oneself to others in a considered and controlled manner (see generally Matheson, at pp. 327‑28; Austin, at pp. 66‑68). Dignity is eroded where individuals lose control over this core identity‑giving information about themselves, because a highly sensitive aspect of who they are that they did not consciously decide to share is now available to others and may shape how they are seen in public. This was even alluded to by La Forest J., dissenting but not on this point, in Dagg, where he referred to privacy as “[a]n expression of an individual’s unique personality or personhood” (para. 65). 

The term “fundamental personal information” used here is sure to be re-used by privacy defence counsel to deal with disputes about sensitivity. And although the Court stressed again and again that its reasoning was made for the open courts context, we need the authority. The concept of sensitivity is as confused as any aspect of privacy law. The Office of the Privacy Commissioner of Canada finds personal information to be sensitive in virtually every one of its reports. It has found home address information sensitive, for example, yet the Ontario Superior Court of Justice held that home address information doesn’t warrant common law privacy protection. Sherman Estate is going to be helpful to those of us who are striving for a clear and predictable boundary to privacy claims.

Point two – the concept of privacy is a mess

The Court has already said that privacy is “somewhat evanescent” (Dagg) and “protean” (Tessling), and has noted that scholars have criticized privacy as being a concept in “theoretical disarray” (Spencer). In Sherman Estate, the Court revisits this criticism and, for the first time, clearly applies it to limit the scope of privacy protection. It says:

Further, recognizing an important interest in privacy generally could prove to be too open‑ended and difficult to apply. Privacy is a complex and contextual concept (Dagg, at para. 67;see also B. McIsaac, K. Klein and S. Brown, The Law of Privacy in Canada (loose‑leaf), vol. 1, at pp. 1‑4;D. J. Solove, “Conceptualizing Privacy” (2002), 90 Cal. L. Rev. 1087, at p. 1090). Indeed, this Court has described the nature of limits of privacy as being in a state of “theoretical disarray” (R. v. Spencer2014 SCC 43, [2014] 2 S.C.R. 212, at para. 35). Much turns on the context in which privacy is invoked. I agree with the Toronto Star that a bald recognition of privacy as an important interest in the context of the test for discretionary limits on court openness, as the Trustees advance here, would invite considerable confusion. It would be difficult for courts to measure a serious risk to such an interest because of its multi-faceted nature.

This is another very important paragraph for privacy defence counsel. I have relied on the first chapter of Daniel Solove’s Understanding Privacy more than once in a factum as a means of inviting a conservative response to a novel privacy matter. Now we have clear Supreme Court of Canada authority on point.

Yes I am arguing against privacy protection, but it is because I deeply crave clarity. Organizations are faced all manner of novel and bold privacy claims, the merits of which are too difficult to assess. We need a clearly defined limit to what counts as a privacy interest worthy of legal protection, whatever it is. This is another reason Sherman Estate is good: the first step to healing is to admit you have a problem!

Point three – a step towards unification, and a half step back

This is why it is so disappointing that the Court keeps saying that privacy is in theoretical disarray without taking up the challenge of fixing the problem.

As I’ve explained, it repeatedly tied its reasoning to the open courts context, and although it took the novel step of relying on Charter jurisprudence to help with its delineation, the Court felt it necessary to make clear that a reasonable expectation of privacy protected by section 8 of the Charter is different.

I pause here to note that I refer to cases on s. 8 of the Charter above for the limited purpose of providing insight into types of information that are more or less personal and therefore deserving of public protection. If the impact on dignity as a result of disclosure is to be accurately measured, it is critical that the analysis differentiate between information in this way. Helpfully, one factor in determining whether an applicant’s subjective expectation of privacy is objectively reasonable in the s. 8 jurisprudence focuses on the degree to which information is private (see, e.g., R. v.Marakah2017 SCC 59, [2017] 2 S.C.R. 608, at para. 31Cole, at paras. 44‑46). But while these decisions may assist for this limited purpose, this is not to say that the remainder of the s. 8 analysis has any relevance to the application of the test for discretionary limits on court openness.

Privacy shouldn’t have a different meaning in the open courts context and the Charter context and the common law/civil context. Why should it? It’s a fundamental right is it not? Has all the talk about contextual significance caused us to be too conservative? Lazy, even? Certainly facts can be assessed in their proper context under a unified concept?

We have unified our reading of differently worded anti-discrimination statutes to provide for clear and strong law across the Country given the importance of human rights protection. I fail to see why we are so hesitant to unify our privacy law.

Sherman Estate is therefore a good decision in my eyes, but not great, and there is more work to be done.

Sherman Estate v. Donovan, 2021 SCC 25 (CanLII).

[This is a personal blog, and these are my views alone. They do not reflect the views of my firm or colleagues.]