BCCA sends notice issue back to BC OIPC

On September 25th, the Court of Appeal for British Columbia partially upheld Airbnb’s successful judicial review of a British Columbia OIPC decision that required the City of Vancouver to disclose short term rental addresses along with related information, but vacated the application judge’s order to notify over 20,000 affected individuals.

Background

The City licenses short term rentals. It publicly discloses license information, presumably to enable renter inquires. However, the City stopped publishing host names and rental addresses with license information in 2018 based on credible reports of safety risks. Evidence of the safety risks was on the record before the OIPC – general evidence about “concerned vigilante activity” and harassment, evidence about a particular stalking episode in 2019 and evidence that raised a concern about enabling criminals to determine when renters likely to be out of the country.

The OIPC nonetheless ordered the City to disclose:

License numbers of individuals;
Home addresses of all hosts (also principle residences given licensing requirements); and
License numbers associated with the home addresses.

It was common ground that the above information could be readily linked to hosts by using publicly available information, rendering the order upsetting to Airbnb’s means of protecting its hosts. Airbnb only discloses the general area of rentals on its platform, which allows hosts to screen renters before disclosing their address.

Supreme Court Decision

The application judge affirmed the OIPC dismissal of the City’s safety concern as a reasonable application of the Merck test, but held that the OIPC erred on two other grounds.

First, the Court held that the OIPC unreasonably held that home address information was contact information rather than personal information. It failed to consider the context in making a simplistic finding that home address information was “contact information” because the home address was used as a place of business. The disclosure of the home address information, in the context, had a significant privacy impact that the OIPC ought to have considered.

Second, the Court held that the OIPC erred in not giving notice to the affected hosts – who numbered at least 20,000 – and for not providing reasons for its failure. The Court said this was a breach of procedural fairness, a breach punctuated by the evidence of a stalking and harassment risk that the OIPC acknowledged but held did not meet the Merck threshold.

Appeal Court Decision

The Court of Appeal affirmed the lower court’s contact information finding. It also held that the matter of notice to third parties ought to have been raised before the OIPC at the first instance, and that the application judge ought not to have ordered notice to be given. It stressed the OIPC’s discretion, and said:

Relevant facts that may inform the analysis include the nature of the records in issue, the number of potentially affected third parties, the practical logistics of providing notice, whether there are alternative means of doing so, and potential institutional resource issues.

Analysis

Giving notice and an opportunity to make submissions to 20,000 affected individuals is no small matter. In this case, valid electronic contact information was likely available. However, even a 2% response rate would generated 400 submissions, each of which deserving of due consideration.

Many institutions, thinking practically, would simply deny access as a means of avoiding this burden and respecting affected party rights, bearing in mind that the Supreme Court of Canada cautioned in Merck that notice should be given prior to disclosure in all but “clear cases.” When an institution denies access to avoid a massive notification burden, that burden transfers to the relevant commissioner/adjudicator, and even recognizing “practical logistics” and “institutional resource issues,” is see no reason why the “clear cases” rule from Merck should not be the governing test.

The Office of the Information and Privacy Commissioner for British Columbia v. Airbnb Ireland UC, 2024 BCCA 333.

NSCA outlines the “law of redaction”

Exactly when should an entire document be withheld because redaction is not reaonable?

Freedom of information adjudicators have used the concept of “disconnected snippets” to delineate; if redaction would leave a reader with meaningless “disconnected snippets,” entire records can rightly be withheld.

The Nova Scotia Court of Appeal, on August 7th, applied similar logic in determining that a set of affidavits “could not be redacted without sacrificing their intelligibility and therefore the utility of public access.” It therefore held that the affidavits could be sealed in whole in compliance with the necessity component of the test from Sherman Estate.

Notably, the Court reviewed cases that establish a second basis for full record withholding – cost. In Patient X v College of Physicians and Surgeons of Nova Scotia, the Nova Scotia Supreme Court held that redacting a 120-page records would be too “painstaking and prone to error” given it included a significant number of handwritten notes. And in Khan v College of Physicians and Surgeons of Ontario, the Ontario Superior Court of Justice reached a similar finding given the record requiring redaction was almost 4,500 pages in length, requiring an error prone hunt for (sensitive) patient information.

Back to freedom of information, where costs are passed through to requesters. In Ontario, the norm is to charge through two minutes a page for redaction. Should a premium be chargeable for handwritten records or records that contain very sensitive information?

Dempsey v. Pagefreezer Software Inc., 2024 NSCA 76 (CanLII).

Notable quote from recent EWCA freedom of information judgement

On November 22, 2023, the Court of Appeal (England and Wales) held that the Freedom of Information Act 2000 permits the public interest in maintaining non-absolute exemptions to be weighed in the aggregate against the public interest in disclosure.

This decision is technical, and about the unique structure of the United Kingdom’s freedom of information statute. Lady Justice Andrews even remarked, “I anticipate that it will rarely be the case that the issue of statutory construction that we have been asked to resolve would make a practical difference to the outcome of an application for disclosure under FOIA.” The ICO is apparently appealing nonetheless.

I am blogging about the decision because Lord Justice Lewis provides us with this good quote that challenges the idea that a purposive interpretation of an access statute necessarily favours access. He says:

…it is too simplistic to say, as the Upper Tribunal did and as the respondents do, that aggregation of the different public interests in non-disclosure would lead to less disclosure of information and so run counter to the purpose of FOIA which is to promote openness. Similarly, it is unduly simplistic to take the view that FOIA is to be interpreted in as liberal a manner as possible in order to promote the right to information. As Lord Hope recognised in the Common Services Agency case, the right to information is qualified in significant respects and appropriate weight must be given to those qualifications as the “scope and nature of the various exemptions plays a key role within the Act’s complex analytical framework” (see paragraph 34 above). A similar approach to FOIA has been recognised by Lord Walker in BBC v Sugar (No.2) [2012] UKSC 4, [2012] 1 WLR 439, especially at paragraphs 76 to 84 and in Kennedy by Lord Mance and Lord Sumption (with whom Lord Neuberger and Lord Clarke agreed) in the quotations set out at paragraphs 35 and 36 above. Rather, the wording of section 2(2) should be considered, in the light of the statutory context, to determine how Parliament intended the system of exempting information from disclosure to operate.

Bear in mind that the purpose sections in Ontario’s freedom of information statutes expressly state that statutory “exemptions” from the public right of access should be “limited and specific.” The Divisional Court, however, has also held that the statutory purpose of FIPPA and MFIPPA weights in favour of narrowly construing exclusions – the provisions that remove certain records entirely from the scope of the right of access. I question that approach for the reasons articulated by Lord Justice Lewis; it is too simplistic an approach to discerning legislative intent.

Dept for Business and Trade v IC and Montague [2023] EWCA Civ 1378.

Alberta CA interprets intergovernmental relations FOI exemption broadly

On December 6th, the Court of Appeal for Alberta held that a record supplied by a local police service to another local police service is amenable to withholding under the intergovernmental relations exemption in the Alberta Freedom of Information and Protection of Privacy Act.

The document at issue was a threat assessment report supplied by the RCMP to the Edmonton Police Service. The RCMP was acting under contract to provide local police services, which led the Alberta OIPC to find that it was an agency of the province. The OIPC relied on the heading “disclosure harmful to intergovernmental relations” and held that information supplied to a public body by an entity within Alberta could not qualify for exemption.

The Court held that the OIPC erred in its narrow interpretation of the exemption and by finding that the RCMP was an agency of the province. In the circumstances, the RCMP was to be treated as any other police service – a “local government body” – and one who could benefit from the exemption in disclosing information to another local public body. The OIPC put too much weight on the “intergovernmental relations” heading, it said, and ignored the plain wording of the Act.

Edmonton Police Service v Alberta (Information and Privacy Commissioner), 2022 ABCA 397 (CanLII).

Recent cyber presentations

Teaching is the best way of learning for some, including me. Here are two recent cyber security presentations that may be of interest:

A presentation from last month on “the law of information” that I delivered to participants in the the Osgoode PDP program on cyber security
Last week’s presentation for school boards – Critical Issues in School Board Cyber Security

If you have questions please get in touch!

Understanding the Employment-Related Records Exclusion

Here is a copy of the presentation I delivered yesterday at the at the PISCC’s 2020 Ontario Connections Conference. As I told the audience, I’m a confessed FOI nerd. The exclusion is such a unique, important and misunderstood part of our Ontario FOI law that it was good to dive deep on it while in good company.

ALSO, BLG is launching a new webinar series for the provincial public sector called “nuts and bolts.” The first webinar will run in late November, please sign up here, or if you can’t attend in November and want me to put you on our mailing list please DM me.

View this document on Scribd

Federal Court says firearm serial numbers not personal information

On October 9th, Justice McHaffie of the Federal Court held that firearm serial numbers, on their own, are not personal information. His ratio is nicely stated in paragraphs 1 and 2, as follows:

Information that relates to an object rather than a person, such as the firearm serial numbers at issue in this case, is not by itself generally considered personal information”since it is not information about an identifiable individual. However, such information may still be personal information exempt from disclosure under the Access to Information Act, RSC 1985, c A-1 [ATIA] if there is a serious possibility that the information could be used to identify an individual, either on its own or when combined with other available information.

The assessment of whether information could be used to identify an individual is necessarily fact-driven and context-specific. The other available information relevant to the inquiry will depend on the nature of the information being considered for release. It will include information that is generally publicly available. Depending on the circumstances, it may also include information available to only a segment of the public. However, it will not typically include information that is only in the hands of government, given the purposes of both the ATIA and the personal information exemption.

This is not a bright line test, though Justice McHaffie did say that the threshold should be more privacy protective than if the “otherwise available information” requirement was limited to publicly available information or even information available to “an informed and knowledgeable member of the public.”

Canada (Information Commissioner) v Canada (Public Safety and Emergency Preparedness), 2019 FC 1279 (CanLII).

FCA speaks on impact of a consent to disclose third-party information under the ATIA

On June 22nd, the Federal Court of Appeal ordered Public Works and Government Services Canada to re-determine an access request because it decided that a third-party’s consent to disclose its commercial information ruled out an exemption claim.

The request was for personnel rates offered to government by a staffing company. The company agreed to a contract clause that the Court held constituted a consent to disclose the information to the public at large.

The Court held that PWGSC erred by treating the clause as an “outright bar” to the company’s reliance on the third-party information exemptions in the Access to Information Act. It held that PWGSC ought to have first determined if any of the third-party exemptions applied and then considered whether or not to disclose the information because of the consent [thereby exercising the discretion granted in section 20(5)].

The decision also includes helpful dicta on the kind of evidence that third-parties must adduce to establish probable economic harm – dicta that supports an argument that the likelihood of harm can oftentimes be inferred from rather basic facts about the competitive context. (Rate or unit price information, in particular, is associated with some rather obvious potential harms.)

Canada (Office of the Information Commissioner) v. Calian Ltd., 2017 FCA 135 (CanLII).

The Australian “Ben Grubb” decision and its link to Canada

There’s been some talk about the Federal Court of Australia’s recent decision in the “Ben Grubb” case – Mr. Grubb being the journalist who requested and was denied access to certain data related to his mobile phone usage from his carrier. Although the data was linked to Mr. Grubb’s mobile phone usage, the Court held it was not “information about” Mr. Grubb and therefore was not “personal information” that Mr. Grubb could access under the Australia Privacy Act. The Court explained:

…in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

In some instances the evaluative conclusion will not be diﬀicult. For example, although information was provided to Mr Grubb about the colour of his mobile phone and his network
type (3G), we do not consider that that information, by itself or together with other information, was about him. In other instances, the conclusion might be more diﬀicult. Further, whether information is “about an individual” might depend upon the breadth that is given to the expression “from the information or opinion”. In other words, the more loose the
causal connection required by the word “from”, the greater the amount of information which could potentially be “personal information” and the more likely it will be that the words
“about an individual” will exclude some of that information from National Privacy Principle 6.1

In other words, there must be more than a link between information and an individual for the information to be “personal” information. The information must also reveal something “about” the person in a way that engages a reasonable expectation of privacy. I am not sure whether this “guts” the rights provided by the Australia Privacy Act as reported, but this reasoning has been a feature of Canadian law, most notably supported in our Federal Court of Appeal’s Nav Canada case – an authority the Australian court relied upon in determining the outcome of Mr. Grubb’s access request.

Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 (19 January 2017).

Alberta CA comments on meaning of “personal information”

Whether information is “personal information” – information about an identifiable individual – depends on the context. The Court of Appeal of Alberta issued an illustrative judgement on April 14th. It held that a request for information about a person’s property was, in the context, a request for personal information. The Court explained:

In general terms, there is some universality to the conclusion in Leon’s Furniture that personal information has to be essentially “about a person”, and not “about an object”, even though most objects or properties have some relationship with persons. As the adjudicator recognized, this concept underlies the definitions in both the FOIPP Act and the Personal Information Protection Act. It was, however, reasonable for the adjudicator to observe that the line between the two is imprecise. Where the information related to property, but also had a “personal dimension”, it might sometimes properly be characterized as “personal information”. In this case, the essence of the request was for complaints and opinions expressed about Ms. McCloskey. The adjudicator’s conclusion (at paras. 49-51) that this type of request was “personal”, relating directly as it did to the conduct of the citizen, was one that was available on the facts and the law.

The requester wanted information about her property because she was looking for complaints related to her actions. The request was therefore for the requester’s personal information. Note the Court’s use of the word “sometimes”: context matters.

Edmonton (City) v Alberta (Information and Privacy Commissioner), 2016 ABCA 110 (CanLII).