The media has reported that a Report of Findings recently issued by the Privacy Commissioner of Canada (OPC) led to the cancellation of the television show “Border Security” – a privately produced documentary that covered the operations of the Canada Border Services Agency (CBSA).
How is it that the CBSA was made liable for a breach of the federal Privacy Act for intrusive action taken by an arm’s-length producer?
In its 26-page report the OPC does probe at the degree of control the CBSA exercised over the producer’s activity but ultimately declined to find that the producer’s collection of personal information was also the CBSA’s collection of personal information. The OPC explained:
However, the question of whether the CBSA can be said to be participating in the collection of personal information for the purpose of the Program is not determinative of our finding in this case. In our view, the CBSA is first collecting personal information in the context of its enforcement activities and thereby has a responsibility under the Act for any subsequent disclosure of the information that is collected for, or generated by, such activities.
Following our investigation, we are of the view that there is a real-time disclosure of personal information by the CBSA to Force Four [the producer] for the purpose of Filming the TV Program. Under section 8 of the Act, unless the individual otherwise provided consent, this personal information collected by the CBSA may only be disclosed for the purpose(s) for which it was obtained, for a consistent use with that purpose, or for one of the enumerated circumstances under section 8(2).
By this reasoning the OPC distinguishes the information flow under assessment from one in which CBSA is simply being observed while conducting its operations. The OPC finding seems to rest on the CBSA’s purposeful provision of access to personal information that would have otherwise been inaccessible – access that invites a “real-time” disclosure of personal information. The OPC applies a novel, expansive conception of a “disclosure.”
From time-to-time organizations are faced with a concern about the potentially invasive activities of others on their property or otherwise within their domain. Most often, they can take comfort in the availability of an “it’s not my collection and not my doing” defence. This OPC finding illustrates when such a defence might not be available.
Report of Findings dated 6 June 2016 (PA-031594).
Whether information is “personal information” – information about an identifiable individual – depends on the context. The Court of Appeal of Alberta issued an illustrative judgement on April 14th. It held that a request for information about a person’s property was, in the context, a request for personal information. The Court explained:
In general terms, there is some universality to the conclusion in Leon’s Furniture that personal information has to be essentially “about a person”, and not “about an object”, even though most objects or properties have some relationship with persons. As the adjudicator recognized, this concept underlies the definitions in both the FOIPP Act and the Personal Information Protection Act. It was, however, reasonable for the adjudicator to observe that the line between the two is imprecise. Where the information related to property, but also had a “personal dimension”, it might sometimes properly be characterized as “personal information”. In this case, the essence of the request was for complaints and opinions expressed about Ms. McCloskey. The adjudicator’s conclusion (at paras. 49-51) that this type of request was “personal”, relating directly as it did to the conduct of the citizen, was one that was available on the facts and the law.
The requester wanted information about her property because she was looking for complaints related to her actions. The request was therefore for the requester’s personal information. Note the Court’s use of the word “sometimes”: context matters.
Edmonton (City) v Alberta (Information and Privacy Commissioner), 2016 ABCA 110 (CanLII).
Section 38(2) is an important provision of Ontario’s provincial public sector privacy statue. It requires institutions to satisfy a necessity standard in collecting personal information. Ontario’s municipal public sector privacy statute contains the same provision.
On May 4th, the Divisional Court dismissed an Liquor Control Board of Ontario argument that the Information and Privacy Commissioner/Ontario had erred by applying a higher standard than “reasonable necessity” in resolving a section 38(2) issue. The Divisional Court held that the Court of Appeal for Ontario’s Cash Converters case establishes just such a standard:
The LCBO relies upon Cash Converters to support its submission that the IPC erred in not interpreting “necessary” as meaning “reasonably necessary.” However, Cash Converters does not interpret “necessary” in this way. In fact, it suggests the opposite. Arguably, something that is “helpful” to an activity could be “reasonably necessary” to that activity. Yet, the Court of Appeal makes it clear that “helpful” is not sufficient.
It’s hard to fathom a legislative intent to prohibit a practice that is, by definition “reasonable.” If the LCBO seeks and is granted leave to appeal this could lead to an important clarification from the Court of Appeal on a strict interpretation of section 38(2) that has stood for some time. The LCBO practice at issue – which involves collecting the non-sensitive information of wine club members to control against the illegal stockpiling and reselling of alcohol – is a good one for testing the line.
Liquor Control Board of Ontario v Vin De Garde Wine Club, 2025 ONSC 2537.