Automobile accident litigation, privacy and bad tactics

Lee Akazaki of Gilbertson Davis has written a fascinating article in the most recent Advocates’ Quarterly (vol 50) about a privacy-related development that he argues is interfering with the just and expeditious handling of no-fault motor vehicle claims in Ontario.

Mr. Akazaki explains that plaintiff counsel are using privacy claims to frustrate the mandatory independent medical examinations required by section 44 of the Statutory Accident Benefit Schedule:

In about 2016, assessors began to receive cryptic letters from the clients of lawyers retained to advance injury claims. The letters invariably followed a template containing a client’s name, the lawyer’s office address, and the client’s signature. Written in “legalese,” the letters demanded that s. 44 assessors account directly to the claimant for various documents and procedures in the IME process. The letters stated the recipients were not to disclose the requests to insurers or other parties, thus leaving assessors worried that reprisals would follow if they alerted insures or their agents. They also demanded responses within 30 days, failing which the assessor was liable to face a complaint to the Office of the Privacy Commissioner (OPC) under the Canadian federal Personal Information Protection and Electronic Documents Act (PIPEDA). The letters exploited ostensible conflicts among health care standards, privacy litigation and SABS.

This is shocking, especially given PIPEDA does not apply.  On this point I agree with Mr. Akazaki, though my reasoning differs. This is entirely analogous to the State Farm case, in which the Federal Court held that the gathering of evidence to resolve a civil dispute in a province was not subject to PIPEDA because it is not, in its essence “commercial activity.” It is unlike Wyndowe, an earlier case in which the Federal Court held that an independent medical examination under a disability insurance contract was subject to PIPEDA.

Mr. Akazaki argues that Wyndowe is distinct because the SABS regime (unlike typical contractual examination rights under disability insurance contracts) treats the (provisional) denial of benefits as a condition precedent to an examination. Okay, but I think the point of distinction is likely more fundamental. It strikes me – and I am not an insurance lawyer! – that the SABS regime is a public regime for resolving civil disputes in the province and is, in part at least, a means of keeping litigation out of court. It’s the public character of the SABS dispute resolution regime that ought to provide it with a form of immunization from PIPEDA. It’s what makes the “primary characterization of the activity” (to use the State Farm test words) something other than commercial.

And a word to the wise, never assume that a privacy statute applies. Application issues abound, and litigating them is where all the fun is at!

Canadian data commissioners have their say on political ad targeting… and more

On November 26th, the Office of the Privacy Commissioner of Canada (the OPC) and the Office of the Information and Privacy Commissioner of British Columbia (the OIPC) jointly held that online marketing company AggregateIQ Data Services breached Canadian privacy law in providing services that supported online targeted political advertising for two campaigns said to be instrumental to the 2016 “Brexit” referendum.

AggregateIQ is a small BC company that provided services to SCL Elections, the UK domiciled parent of Cambridge Analytica – infamous for harvesting data from millions of Facebook users without consent. The joint report is quite vague about whether AggregateIQ used the Cambridge Analytica contraband, and AggregateIQ denies it.

The central finding in the joint report is that information about one’s “political leanings or affiliations” is “sensitive” personal information. Accordingly, the commissioners said, authorization given by an individual to communicate via e-mail was not sufficient to authorize micro-targeting via Facebook (and its “custom audiences” service). They explained:

AIQ asserted that Facebook is simply another way of communicating with individuals, not materially different from email. We respectfully disagree. In our view, an individual who had initially provided their email address for purposes of being kept “up to date” or providing “opportunities to engage” with a campaign may expect to be contacted via email. They would not expect their email address to be used and disclosed to a social media company for advertising on their platform or any other unknown purposes… Accordingly, AIQ had the responsibility, under PIPA and PIPEDA, to ensure that it was relying on express consent for the work it was performing on behalf of Vote Leave.

This finding is about political ad targeting, a problem of great societal importance but of minimal relevance to most organizations. The report also includes two findings of broad relevance.

First, the fact the commissioners took jurisdiction over a matter involving service provided to a foreign political party is is important. The commissioners explained:

To be clear, we are not finding, in this section or below, that AIQ’s foreign clients were required to comply with Canadian and BC privacy laws. The practices of those political organizations would generally fall outside the scope of PIPA and PIPEDA, and in any event, were not the subject of this investigation. That said, to the extent that AIQ wished to rely on the consent obtained by those foreign clients for its own collection, use, and disclosure of personal information on their behalf, it would need to ensure that such consent was sufficient, under Canadian or BC law as the case may be, for its purposes.

This quote speaks to a time-old question about whether the use of a commercial service provider can cause activity that would otherwise not be regulated to become subject to Canadian privacy law. This question is of particular concern to provincially regulated employers, who are not subject to federal privacy legislation in respect of employment but often use service providers to help with employment administration.

The Federal Court’s decision in State Farm suggests that the mere engagement of a service provider is not enough to give rise to application (and enforcement jurisdiction). When State Farm was released in 2010 I asked a contact from the OPC how it would interpret State Farm. The answer was, “narrowly,” exactly as the above quote would suggest!

Second, the commissioners make a significant finding about the use of identifying information with Facebook’s “lookalike audience” service – a popular and powerful ad targeting service that involves uploading identifying information about a population (typically of customers) so Facebook can identify and target a lookalike population (of potential customers). The commissioners held that authorization to use personal information for “engagement” purposes was not authorization for “data analytics” purposes, stating:

It is also the case that the privacy notice largely speaks to collecting and using personal information for the purpose of engaging supporters in the campaign and performing services on their behalf. The disclosure of individuals’ personal information to Facebook for data analytics, via its “lookalike audience” feature, does not achieve or relate to either of those objectives. Instead, this disclosure is made to allow Facebook to link supporters to their Facebook profiles and analyze those profiles in order to identify, target, and persuade other similar or like-minded individuals. This is for Vote Leave’s benefit and can certainly not be viewed, in any way, as performing a service on behalf of the voter whose information was processed.

Organizations using the Facebook lookalike service or similar services should pay heed and revisit their source of authorization. More broadly, this quote speaks to the HUGE question, “Is using data to generate insights about a population a use of personal information at all?” The quote suggests the commissioners say “yes,” though there is a reference to data matching done by Facebook that may render this scenario unique. (I like to believe the answer is “no.”)

Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, 2019 CanLII 111872 (PCC).