The right to be forgotten comes to Canada

On Friday, the Office of the Privacy Commissioner of Canada issued a new position on the protection of online reputation. In doing so the OPC recognized a right to have personal information de-indexed from search engine results if it is inaccurate, incomplete or out-of-date. Although the position is in draft, is nonetheless of critical significance to Canadians’ use of the internet – creating a broader variant of the so-called European “right to be forgotten.”

The OPC says the right arises out of two longstanding parts of the Personal Information Protection and Electronic Documents Act – Principle 4.6 and section 5(3).

Principle 4.6 is the accuracy principle. It reads as follows:

4.6 Principle 6 — Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

4.6.1

The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

4.6.2

An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.

4.6.3

Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Principle 4.6 dovetails in part with Principle 4.9, which requires organizations to “amend” personal information if it is demonstrably “inaccurate or incomplete.” (Principle 4.9 does not mention currency.)

The OPC’s reasoning is simple. Search engines use and disclose personal information to “provide people with access to relevant information from the most reliable sources available.” This purpose is not served by presenting search results that are not accurate, complete or up-to-date. Though accuracy, completeness and currency are they key concepts, the OPC says that search engines should interpret and apply them in light of the how materially the impugned content affects individuals’ interests and the countervailing (public) interest in continued accessibility.

Section 5(3) of PIPEDA restricts organizations to handling personal information for purposes that a “reasonable person would consider are appropriate under the circumstances.” The OPC says that section 5(3) could also be the basis of a valid de-indexing request, giving the following two examples:

  • Where content is unlawful, or unlawfully published (e.g. where it contravenes a publication ban, is defamatory, or violates copyright; etc.)
  • Where the accessibility of the information may cause significant harm to the individual, and there is either no public interest associated with the display of the search result, or the harm, considering its magnitude and likelihood of occurrence, outweighs any public interest

This newly-recognized right invites de-indexing requests to search engines as the primary means of obtaining relief from online reputational harm, though the OPC has also recognized a right to take down content. The right to take down content is a more limited right, in part because the OPC only has jurisdiction over those who publish personal information “in the course of commercial activity.”

The significance of the new position cannot be understated; there are many Canadians who feel plagued by internet posts that are unflattering if not disparaging. Search engines will not embrace this development – leaving a possibility of an enforcement dispute (and Federal Court input) and vigorous lobbying for a legislative amendment. It may take some time, but watch for a Charter challenge.

You can read the draft report here.

OPC gives guidance, argues for more enforcement power

It’s hard being the Office of the Privacy Commissioner of Canada. The OPC is responsible making sure all is right in commercial sector and federal government sector privacy. It has a pretty small operating budget, yet issues in these sectors are meaty and novel – I dare say harder to deal with than the privacy issues raised in the health and provincial public sectors. More than anything, meeting the OPC mandate is particularly challenging because the mandate is to enforce a principled statute that affords a “right to privacy” that lacks a well-understood meaning.

It is in this context that the OPC issued its 2016-2017 Annual Report to Parliament. The report includes a 24 page “year in review” on PIPEDA that follows the OPC’s public consultation on informed consent and some polling work that shows 90% of Canadians are concerned about their privacy. The OPC concludes that the PIPEDA commercial sector regime is at a crossroads – making some suggestions about new directions, giving some practical guidance and arguing for more enforcement power.

This post is to highlight the most significant new directions and practical guidance and to provide a short comment on the argument for more enforcement power.

The most significant new directions and practical guidance:

  • The OPC will expect organizations to address four elements in obtaining informed consent – what personal information is being collected, who it is being shared with (including an enumeration of third parties), for what purposes is information collected, used or shared (including an explanation of purposes that are not integral to the service) and what is the risk of harm to the individual, if any.
  • The OPC will draft and consult on new guidance that will explicitly describe those instances of collection, use or disclosure of personal information which we believe would be considered inappropriate from the reasonable person standpoint under subsection 5(3) of PIPEDA (no-go zones).
  • The OPC says that “in all but exceptional cases, consent for the collection, use and disclosure of personal information of children under the age of 13, must be obtained from their parents or guardians” and “As for youth aged 13 to 18, their consent can only be considered meaningful if organizations have taken into account their level of maturity in developing their consent processes and adapted them accordingly.”
  • The OPC will encourage industry to develop codes of practice and fund research for the purpose of developing codes of practice to address more particular, sector-specific challenges – presumably a mechanism by which organizations will be able to seek safe harbour.
  • The OPC will make greater use of its power to initiate investigations “where [it sees] specific issues or chronic problems that are not being adequately addressed.”

Then, there’s the OPC’s argument for more enforcement powers. Specifically, the OPC wants Parliament to drop the “reasonable grounds” restriction from its audit power so it can engage in truly proactive audits, it wants the power to levy fines and it wants PIPEDA to feature a private right of action – all of which would invite a departure from the ombudsman model the OPC has operated under since PIPEDA came into force in 2004.

I personally dislike the ombudsman model of enforcement because it doesn’t come with the procedural safeguards associated with more formal enforcement models and can therefore give the ombudsman a frightening degree of “soft” power. This said, the prospect of big fines and lawsuits based on substantive rules that are poorly defined and understood is even more frightening to to those in the business of privacy compliance and defence. This is the irony of the OPC report: at the same time the OPC admits that the substance of the PIPEDA is, at the very least, “challenged” it asks to enforce it with a new hammer. Now going through an admittedly bad experience with CASL – legislation that the OPC would argue is much more “ineffective” than PIPEDA (see p. 34) – we can readily foresee the wasted compliance costs that the proposed change to PIPEDA could invite. Even if business is indeed responsible for the great concern about privacy that the OPC’s polling effort reveals, this is nonetheless a valid position for business to take going forward.

Two presentations all about information

Here are two recent presentations that may be relevant to you – one on finding internet evidence that I presented last Saturday at our firm’s PD day and another from a few days earlier on privacy, data security and CASL compliance at financial services firms. If you work in management and something catches your eye that raises questions do get in touch.

 

SCC says PIPEDA does not constrain a court’s procedural power

The Supreme Court of Canada decided the case of RBC v Trang this week. It held that the Personal Information Protection and Electronic Documents Act does not limit the procedural powers of a court. If a court, based on analysis that is not at all governed by PIPEDA, decides that an order to disclose personal information is warranted, it may issue the order. The order may be complied with notwithstanding PIPEDA.

Here is the ratio in Trang:

As a result of s. 7(3) , PIPEDA does not diminish the powers courts have to make orders, and does not interfere with rules of court relating to the production of records. In addition, PIPEDA does not interfere with disclosure that is for the purpose of collecting a debt owed by the individual to an organization, or disclosure that is required by law. In other words, the intention behind s. 7(3) is to ensure that legally required disclosures are not affected by PIPEDA.

All is right in the world again after the Ontario courts got quite twisted up on a very fundamental question about PIPEDA’s impact on the civil justice system.

The Court also held that debtors implicitly consent to the disclosure of mortgage status information (current balance) to judgement creditors who are seeking to recover a debt. This creates an opportunity for banks to assist judgement creditors without requiring them to obtain a court order. (Might the Court have had the burden of pro forma motions in mind?)

More generally, the Court supported a very flexible, fully-contextual implicit consent standard. This arguably erodes privacy protection and invites uncertainty, but also allows for just and sensible outcomes despite a consent rule in PIPEDA that is otherwise quite strict. Of course, this will feed the current dialogue about whether consent is a meaningful principle by which to govern the protection of personal privacy.

Royal Bank of Canada v. Trang, 2016 SCC 50 (CanLII).

Cybersecurity and data loss (short presentation)

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

Court dismisses application for information about business partner’s employees

On April 2nd, the Ontario Superior Court of Justice dismissed an application for the disclosure of detailed employee payroll information from an employer to its partner in a joint venture.

The partner was partially responsible for the employer’s wage bill and relied on its right to inspect records under the joint venture agreement. The employer argued that, despite the agreement, it could not disclose employee personal information without violating PIPEDA. As an alternative, the employer offered to have an audit conducted and share the results. The partner felt this was insufficient.

Justice Perell held that he had no power to make an order that would relieve the parties from the PIPEDA consent requirement, stating “s. 7(3)(c) of PIPEDA does not provide a free-standing jurisdiction to grant exemptions.” He dismissed the application without prejudice to the filing of a new application based on the “activation” of another PIPEDA exemption.

Mountain Province Diamonds Inc v De Beers Canada Inc, 2014 ONSC 2026 (CanLII).

OPC issues important decision for federally-regulated employers on access to “mixed personal information”

Federally-regulated employers should pay heed to OPC report of findings 2013-004, issued in July 2013. It contains the most detailed guidance on how to administer requests for access to personal information about employees that is received from other employees in confidence – information sometimes called “mixed personal information.”

The OPC adopts the case-by-case balancing of interests approach endorsed by the Federal Court of Appeal in a Privacy Act case called Pirrie: “In determining the right to have access to this information under PIPEDA, the interests of the individuals concerned should be balanced against each other along with the public interest for and against disclosure.”

This test does not support a “bright line,” so the OPC guidance is welcome. It uses 2013-004 to distinguish between two scenarios:

  • The OPC held that notes containing peer feedback that an employer received in conducting a routine performance feedback process were exempt from the right of access. It helped that the employer had provided the complainant with a high-level summary of feedback and helped that the complainant himself had expressly promised to his peers that their feedback would be given anonymously.
  • The OPC distinguished its prior treatment of information gathered in an internal investigation from witnesses when the investigation led to the complainant’s dismissal from employment. The OPC affirmed the complainant’s right of access in this scenario, but specified that the complainant required access to her personal information “as part of her efforts to be re-instated in her position,” which suggests that the complainant had either commenced litigation or that litigation was reasonably contemplated. The OPC also noted, “there were no formal assurance made that the information the investigation participants provided would be kept confidential.”

This gives federally-regulated employers some indication of the OPC’s perspective on a common and significant access issue, though the analysis invited by the Pirrie test is very contextual and outcomes will differ based on a wide range of potentially relevant facts. While the OPC’s decision on access to information gathered from witnesses in an internal investigation might be of some concern to employers, employers cannot provide witnesses with an absolute promise of confidentiality given witness statements may be producible in litigation. If the OPC decision merely suggests that witness statements are likely to be accessible under PIPEDA when litigation is reasonably contemplated it will be rather harmless in its impact.

Bank provides former employee with insufficient access to his personal information, 2013 CanLII 71855 (PCC).

Ontario court says PIPEDA does not apply to LawPro

On August 28th, the Ontario Superior Court of Justice held that LawPro (who insures Ontario lawyers) was entitled to report various allegations made against an insured to the Law Society of Upper Canada.

LawPro made the report after the insured was sued and before it denied him coverage.  The Court held that LawPro wrongly denied coverage but dismissed the insured’s breach of confidence and privacy claim.

The Court held that LawPro did not breach PIPEDA because it is not engaged in commercial activity. It explained:

Counsel for LawPro submits, correctly in my view, that the providing of mandatory professional liability insurance to the province’s lawyers is not a commercial activity within the meaning of section 4(1)(a) of PIPEDA. Although LawPro is designed to conduct itself in a financially viable manner, its principal shareholder is the Law Society – a regulatory body – and its mandate entails “a commitment to working with the bar in the public interest over the long term”. LawPro, Our Story: 15 Years of Making a Difference (Lawyers Professional Indemnity Company, 2010), online: http://www.practicepro.ca/LawPROmag/15Anniversary Booklet.pdf, at p. 4. That mandate takes LawPro outside of the type of activities to which PIPEDA applies.

The Court also held that LawPro acted properly in making the report notwithstanding the insured’s argument that his communications with LawPro were made to a solicitor in his and LawPro’s common interest and were therefore subject to solicitor-client privilege. The Court held that LawPro had a duty to report that superseded solicitor-client privilege.

(Is there really such a duty? I question whether the decision merely suggests that LawPro was entitled, as a matter of public interest, to report.)

Cusack v The Lawyers’ Professional Indemnity Co., 2013 ONSC 5511 (CanLII).

Voluntary bank disclosure to police lawful

On August 7th, Justice Fuerst of the Ontario Superior Court of Justice held that the police did not breach an individual’s reasonable expectation of privacy by receiving information from two banks and using the information to obtain restraint orders.

The judgement is notable for the Court’s recognition of the banks’ legitimate interest in providing voluntary assistance to the police. Justice Fuerst said:

The bank was directly implicated in allegations of money-laundering. It had a legitimate interest in preventing the criminal misuse of its services, particularly in circumstances where accounts associated to the applicant were alleged to be offence-related property subject to forfeiture.

Disclosing personal information to the police (within certain parameters) is permitted by section sections 7(3)(c.1) and 7(3)(d) of the Personal Information Protection and Electronic Documents Act, which Justice Fuerst noted in her reasonable expectation of privacy analysis. Section 7(3)(d) authorizes disclosures initiated by commercial organizations. Notably, Justice Fuerst held that section 7(3)(d) allows for some two-way dialogue between the disclosing organization and the police: “It is unreasonable to interpret s. 7(3)(d) so narrowly that police officers to whom information is given by organizations like banks about possible criminal activity can do no more than passively receive it and are prevented from asking for specifics or details necessary to take steps in response.”

R v Kenneth James, 2013 ONSC 5085 (CanLII).