Mark Hayes

An in-depth analysis of the evolving common law tort of invasion of privacy in Canada as the author discusses recent cases in Ontario and other provinces and developments in other Commonwealth jurisdictions.

Amanda Lawson and Maureen L. Murphy

Mandatory requirement to notify individuals of privacy breach not yet common.

Nicole Kutlesa

Privacy Commissioner’s findings explore a variety of issues such as collection of date of birth and licence numbers, use of surveillance and disclosures in legal proceedings.

Howard Simkevitz

How the proposed law, which ended with the last session of Parliament, could have dealt with spam and anti-phishing.

Norman Groot

Association urges Privacy Commissioner to develop separate guidelines on covert surveillance in different contexts.

Abi Lewis

Sampling privacy debate on the international scene and activities of regulators in Canada.

Editors:
Abiodun O. Lewis

Mark Hayes*

Canadian common law has been hesitant to deal with privacy as a tort, although that may be slowly changing. While only a few years ago, it would have been possible to say with reasonable certainty that no common law tort of invasion of privacy existed in Canada, some recent decisions in Ontario and other provinces are now signalling that a common law right to privacy may someday be consistently enforced by the courts.

1. The Traditional Position

Historically, an independent common law tort of invasion of privacy has not been recognized in Ontario and the rest of Canada. Rather, to the extent that privacy interests have been protected, that protection has been obtained through claims in trespass (to land, chattels and the physical person), nuisance (indirect invasion of an occupational interest in land which unreasonable interferes with one’s enjoyment of it)¹ or defamation and injurious falsehood and deceit (false statements calculated to cause pecuniary damage). Other recognized causes of action that might directly be brought to protect privacy interests include wilful infliction of nervous suffering, passing off, appropriation of personality and breach of confidence.²

Although the general trend has been to reject a free-standing tort of invasion of privacy, there have been isolated cases where courts were willing to ground liability in something very close to privacy tort. In Saccone v. Orr,³ the court found an invasion of privacy where the defendant recorded and played back a private telephone conversation. In Roth v. Roth,⁴ the court recognized a common law right of privacy, and found that the defendants’ verbal harassment, blocking of an access road to the plaintiff’s property that went across their land, and removal of previously shared property from the plaintiffs’ land (which resulted in the shutting off of electricity without reasonable notice) constituted an invasion of privacy.

In Graye v. Filliter⁵ (Graye), the Court refused to strike a claim for an alleged invasion of privacy by a newspaper reporter. The defendants alleged that the claim was nothing more than a dressed up version of a defamation claim (which could not be asserted because of a failure to give requisite statutory notice), but the Court disagreed:

[41] On the facts as set out in the statement of claim in this action, there are substantial allegations against the co-defendants and Ferguson as conspirators intending to embark upon a course of conduct to cause the plaintiff injury. The allegations in the pleading, if true, might well establish conduct on the part of Ferguson and his co-defendants beyond the publication of the articles in question. If true, the nature of the conspiracy to obtain and improperly release documents and information to Ferguson with the intention of injuring the plaintiff might, on the facts of this case, make any tort of defamation incidental to the tort of conspiracy rather than having the tort of conspiracy incidental to the tort of defamation …

[50] The fact that the plaintiff in this action seeks damages for an alleged breach of privacy in the factual circumstances recited above does not seem far removed or significantly different from the concepts and general principles reviewed in Saccone v. Orr.

[51] … I am not prepared to hold, at this stage, that no cause of action exists for breach of privacy and I would echo the sentiments expressed by Mr. Justice Parker when he said: “The plaintiff therefore has the right to be heard, to have the issue decided after trial.” As pleaded, the cause of action may be novel but, in my view, it ought not to be strangled at birth because of difficulties in the pleading process.

Although none of these cases have to date involved the use of personal information that had been collected for business purposes,⁶ one type of business-related activity that has been found to constitute an invasion of privacy is overzealous attempts to collect on debts. In Palad v. Pantaleon,⁷ the plaintiff sought repayment of a $10,000 loan. When the loan was not repaid, the plaintiff began telephoning the defendant at her home and at her place of employment, and eventually attended at the defendant’s place of employment and demanded repayment of the loan in front of her co-workers. Other cases have similarly found an invasion of privacy for excessive debt collection activities.⁸

Those cases that have allowed claims relating to improper use of private and confidential information have applied a test of “whether the particular invasion of privacy is necessary to the proper administration of justice and, if so, whether some terms are appropriate to limit that invasion.”⁹ There is a disagreement as to whether this creates an independent “right of privacy” or a separate tort of “invasion of privacy”:

Despite some encouraging suggestions from a few courts, it would be fair to say that the Canadian tort law does not yet recognize a tort action for invasion of privacy per se. Rather “privacy” rights have been protected under the umbrella of other traditional tort actions, and by legislative interventions…[i]s a separate tort of “invasion of privacy” necessary? It is arguable that it is not. The concept of privacy is too ambiguous and broad to be able to be covered adequately in one cause of action. It is desirable to have the different aspects of privacy protection dealt with in separate torts, which more clearly can focus on the interests at hand. Gaps in the law which cannot be filled by extending traditional principles can be dealt with as they arise, either through the expansion of the common law or by legislative intervention.¹⁰

Even in those cases where the court was inclined to recognize a tort of invasion of privacy, no clear standards were elaborated for establishing a cause of action for invasion of privacy; rather, “whether or not an invasion of privacy results in an actionable and compensable tort depends on the circumstances of any particular case and the conflicting rights involved.”¹¹ For example, in Lipiec v. Borsa,¹² the court found that the defendant’s installation of a surveillance camera focussed on his neighbour’s backyard was an intentional invasion of privacy.

As a result, none of the Canadian case law up to 2001 provided a clear answer about whether a tort of invasion of privacy exists in Canada. Before looking at Canadian case law since 2001, it is useful to consider developments in other Commonwealth jurisdictions.

2. Recent Commonwealth Developments

In Douglas v. Hello! Ltd.,¹³ the U.K. Court of Appeal dealt with an application for an injunction that had been issued by a Queen’s Bench judge¹⁴ preventing the defendant newspaper from publishing photographs of a celebrity wedding that had been promised to a competitor through an exclusive arrangement. One of the claims made by the plaintiffs was that there had been an invasion of their common law right to privacy. The three members of the Court of Appeal agreed that the injunction should not have been granted, but each judge arrived at that result by a different path. Only Sedley L.J. supported the existence of a freestanding common law right of privacy:

[W]e have reached a point at which it can be said with confidence that the law recognises and will appropriately protect a right of personal privacy. … What a concept of privacy does, however, is accord recognition to the fact that the law has to protect not only those people whose trust has been abused but those who simply find themselves subjected to an unwanted intrusion into their personal lives. The law no longer needs to construct an artificial relationship between intruder and victim: it can recognise privacy itself as a legal principle drawn from the fundamental value of personal autonomy.¹⁵

This suggestion by Sedley L.J. created quite a stir in the privacy bar, since it was the highest authority in the Commonwealth courts to suggest the existence of such a free-standing tort of invasion of privacy. In the subsequent High Court trial decision¹⁶ and in the Court of Appeal decision affirming the High Court’s judgment in favour of the plaintiffs,¹⁷ the theory of liability adopted by the Court sounded in breach of confidence, largely based on the commercial nature of the interests that the plaintiffs had in managing their personas and likenesses. The dicta of Sedley L.J. suggesting a free-standing privacy tort was not followed by the trial judge, who pointed out that in fact the House of Lords had once again decided, in a case handed down between the time of the initial injunction proceedings in Douglas and the trial, that no general tort of invasion of privacy exists under U.K. common law.¹⁸

Between the trial decision in Douglas and judgment of the Court of Appeal, the House of Lords released its judgment in Campbell v MGN Ltd,¹⁹ which involved a series of newspaper stories and related photographs of the plaintiff supermodel leaving a drug addiction treatment facility. The plaintiff had for years publicly denied any involvement with drugs, but by the time the case reached the House of Lords, the plaintiff had conceded that the defendants were justified in publishing the fact of her drug addiction and that she was receiving treatment. However, the majority of the House of Lords panel decided that the defendants had committed a breach of confidence when they published the fact that the plaintiff was receiving treatment at Narcotics Anonymous, the details of the treatment and photographs showing her leaving a meeting with other addicts. The House of Lords confirmed both that “[i]n this country, unlike the United States of America, there is no over-arching, all-embracing cause of action for ‘invasion of privacy’”²⁰ and what had by that point become obvious: the tort of breach of confidence had morphed itself into a type of privacy protection, referred to by Lord Nicholls Of Birkenhead as the tort of “misuse of private information”.²¹ The nature of this shift in emphasis was best described by Lord Hoffman:

The result of these developments has been a shift in the centre of gravity of the action for breach of confidence when it is used as a remedy for the unjustified publication of personal information. It recognises that the incremental changes to which I have referred do not merely extend the duties arising traditionally from a relationship of trust and confidence to a wider range of people. . . [T]he new approach takes a different view of the underlying value which the law protects. Instead of the cause of action being based upon the duty of good faith applicable to confidential personal information and trade secrets alike, it focuses upon the protection of human autonomy and dignity - the right to control the dissemination of information about one's private life and the right to the esteem and respect of other people.

This shift in U.K. law is a fundamental one, and imposes limitations on the ability of journalists and others to disclose an individual’s private information in circumstances where such disclosure would be embarrassing or hurtful. The House of Lords expressly rejected imposing a requirement that the disclosure “be highly offensive to a reasonable person”;²² instead, the Court must determine whether the personal information is of a nature that should in all the circumstances be considered private (sometimes referred to as the “reasonable expectation of privacy” test²³), whether there was justification for the disclosure (such as consideration of freedom of the press or some other societal interest) and whether the nature and extent of the disclosure was reasonable in view of the nature of the information and the risk of damage resulting from the disclosure.

While U.K. law has clearly moved in the direction of protecting privacy interests through the tort of breach of confidence, other Commonwealth jurisdictions have produced a variety of inconsistent approaches. While members of the High Court of Australia, in a case involving an injunction to restrain broadcast of a video taken surreptitiously inside a abattoir,²⁴ mused, without deciding, about the possibility that a separate tort of breach of privacy might be found to exist,²⁵ subsequent Australian decisions have continued to reject the idea.²⁶ New Zealand²⁷ and India²⁸ have recognized at least some form of a common privacy right.

3. Recent Ontario Developments

The sweeping changes in U.K. law, and in particular the development of the wider ambit of the tort of “misuse of private information,” have not to date heavily influenced Canadian courts in their treatment of invasion of privacy claims. The main features of the current debate in the case law seems to be the contrast between rulings by the Court of Appeal that there is no freestanding tort of invasion of privacy and the persistent refusals of the lower courts to accept that no such tort exists.

In Euteneier v. Lee,²⁹ the Court of Appeal placed what many thought was the final nail in the coffin of a freestanding tort of invasion of privacy. The plaintiff had been stripped and handcuffed to the bars of a holding cell after apparently attempting suicide in custody. She asserted several causes of action against the police officers who were involved in her arrest and detention. Her claim was dismissed at trial but partially restored by the Divisional Court. In restoring the decision of the trial judge, the Court of Appeal stated as follows:

[47] Second, as I will also discuss, Euteneier did not plead that the appellants owed duties to her to maintain her dignity and to prevent her humiliation. Rather, as framed in her pleading, her allegations concerning her dignity and privacy interests were either particulars of the causes of action asserted by her against the appellants or descriptions of the consequences that she claimed flowed from the wrongful acts of the police. Yet, the Divisional Court appears to have treated these allegations as stand-alone causes of action, which required specific adjudication at trial. In my view, this approach was in error. …

[62] As I understand her argument, Euteneier’s real complaint is that the trial judge mischaracterized the duty of care owed to her by the police by failing to specifically discuss her privacy and dignity interests when articulating, and subsequently considering, the duties owed by the appellants to Euteneier under the Charter.

[63] But Euteneier properly conceded in oral argument before this court that there is no ‘free-standing’ right to dignity or privacy under the Charter or at common law. For example, although respect for human dignity underlies many of the rights and freedoms in the Charter, it is not a principle of fundamental justice under s. 7 of the Charter. (emphasis added)

The Court of Appeal found that damages could be awarded for a violation of the Charter or of “Charter values,” even if there is no underlying tort liability, but of course such liability will only attach to state action and would not create a cause of action between citizens. Despite the clear statement by the Court of Appeal in Euteneier denying the existence of a tort of invasion of privacy, trial courts have been unwilling to let go of the concept.

In Metz v. Tremblay-Hall³⁰ a lawyer made a claim against a number of other lawyers and a law firm arising from alleged racial slurs and a campaign of harassment. Included in her claim was an allegation of the tort of “violation of privacy” alleged to arise as a result of certain e-mails sent by some of the defendants. The defendants moved to strike out the privacy claim. The Court began its analysis of the privacy issue by stating that “there is a question as to the status of the tort of invasion of privacy and Canada.” After referring to Tran and Euteneier, the Court commented as follows:

[64] [The defendants] submit that the tort of invasion of privacy is not recognized in Ontario, and they rely on the comment of the Court of Appeal in Euteneier that there is no ‘free standing’ right to privacy under the Charter or at common law. Mindful that the novelty of the cause of action should not prevent a party from proceeding with its case, I would not at the pleading stage deprive the Plaintiff of the benefit of claiming an invasion of privacy, as she does in paragraphs 27 and 28 of the Amended Statement of Claim. [The defendants] submit that the Plaintiff had no reasonable expectation of privacy in the circumstances … . My response is that [the defendants] can plead these submissions as defences. However, these defences are not in themselves a bar to the right of the Plaintiff to properly plead the tort.

In Somwar v. McDonald's Restaurants of Canada Ltd.³¹ (Somwar), Justice Stinson of the Ontario Superior Court reviewed the law on a motion to strike a pleading claiming damages for “invasion of privacy”³² and determined that the law was unclear enough that the plaintiff’s claim should be permitted to proceed to trial:

[20] The courts of Ontario have not been unanimous concerning the existence of a common law tort of invasion of privacy. In Haskett v. Trans Union of Canada Inc. (2001), 10 C.C.L.T. (3d) 128 (Ont. S.C.J.), aff'd 15 C.C.L.T. (3d) 194, (Ont. C.A.), the plaintiff alleged that the defendant credit-reporting agencies had unlawfully included his pre-bankruptcy debts in consumer reports and incorrectly reported them as collectible debts. He sought to bring a class proceeding against the defendants for damages based on breach of fiduciary duty, invasion of privacy, and negligence. The defendants moved to strike the statement of claim on the ground that it did not disclose a reasonable cause of action. With respect to invasion of privacy, Cumming J. found that it was plain and obvious that the complaint of wrongful inclusion of inaccurate information in a credit report did not amount to a reasonable cause of action in tort. Cumming J. quoted with approval from Professor Klar in his text Tort Law (Toronto: Carswell, 1991) where he stated at p. 56 as follows:

Despite some encouraging suggestions from a few courts, it would be fair to say that the Canadian tort law does not yet recognize a tort action for invasion of privacy per se. Rather “privacy” rights have been protected under the umbrella of other traditional tort actions, and by legislative interventions.

Cumming J. acknowledged, however, that “more recently, there has been some recognition of invasion of privacy as an embryonic tort where there is harassing behaviour or an intentional invasion of privacy.” [Emphasis added.] On appeal, the appellant limited his claimed cause of action to negligence. Thus, the Court of Appeal did not address the ruling of the motion judge with respect to the issue of invasion of privacy.

[21] In T.W. v. Seo, [2003] O.J. No. 4277 (Ont. S.C.J.) (varied on other grounds at [2005] O.J. No. 2467 (C.A.)), the defendant was an ultrasound technician who videotaped the plaintiff while she was in the change room. The plaintiff’s claim included a claim for damages based on the tort of invasion of privacy. Siegel J. refused to put any questions to the jury relating to this cause of action as he found that “insofar as a common law tort of invasion of privacy was recognized in Canada, it did not extend to these facts.”

[22] In light of the trial decisions listed in this brief survey of Ontario jurisprudence, and the absence of any clear statement on the point by an Ontario appellate court, I conclude that it is not settled law in Ontario that there is no tort of invasion of privacy. (citations omitted)

Justice Stinson did not refer to the Court of Appeal’s decision in Euteneier.

While hardly a ringing endorsement of the existence of a freestanding tort of invasion of privacy, Somwar makes it clear that Ontario trial courts are determined to keep open the possibility of successfully asserting a claim for invasion of privacy. Since Somwar, there have been a number of Ontario cases that have discussed invasion of privacy.

In Zorz v. Attard,³³ the parties had a dispute over their residential properties in Toronto. While the main issue was adverse possession, there were allegations of breach of privacy. The Court referred to Lipiec v. Borsa (but none of the other cases that decided since that decision in 1996) in support of the argument that an invasion of privacy could result in an award of damages. In the result, the Court awarded “damages on account of trespass, nuisance, and invasion of privacy in the amount of $7500.00.”

Nitsopoulos v. Wong³⁴ was a case similar to Graye (and in fact involved the same newspaper defendant and defence counsel) in that the plaintiff did not commence an action in respect of the impugned article within the time limit prescribed by the Libel and Slander Act, and therefore was forced to assert causes of action other than defamation. One of the plaintiff’s claims was for “invasion of privacy” and the defendants moved to strike. The Court stated as follows:

[8] Canadian courts have been reluctant to recognize a separate common law right to privacy. For example, in the case of Ueteneier v. Lee, 2005 CanLII 33024 (ON C.A.), (2005), 77 O.R. (3rd) 621 (C.A.) Cronk J.A. observed that the Appellant had “properly conceded in oral argument before this court that there is no “free standing” right to dignity or privacy under the Charter or at common law”. The Globe and Mail submits that even if this court is not bound by that statement and finds that the tort of invasion of privacy should be recognized as a potential cause of action, the damages allegedly sustained by the plaintiffs stem only from the publication of the article itself and therefore must characterized as defamation, and subject to the defence provided in Section 6 of the Libel and Slander Act.

[19] Insofar as the claim based on invasion of privacy is concerned, I agree with Stinson J in Somwar v. McDonald’s of Canada Ltd. (2006) 79 O.R. 3rd, 172 (S.C.J.) at para. 22, that “it is not settled law in Ontario that there is no tort of invasion of privacy”. I adopt the detailed and very helpful reasons of Stinson J in arriving at that conclusion.

In Warman v. Grosvenor³⁵ (Warman), a federal government employee brought an action for defamation, assault and invasion of privacy in respect to an Internet and e-mail campaign against him by the defendant. Unlike Somwar and Nitsopoulos v. Wong, which were decided at early stages of the action, Warman was a trial decision. After finding for the plaintiff in respect of the assault and defamation claims, the Court refer to the “difference in judicial opinion as to whether there exists a common right (sic) to privacy in Canada,” but seems to sidestep the issue by finding that “there is no tortious conduct amounting to an invasion of privacy that is separate from the conduct making the defendant liable for damages for defamation and assault” and that as a result “the conduct causing the harm is recoverable in damages for defamation and assault and there is no separate tortious conduct resulting in separate harm, in my view, that is recoverable by the plaintiff for a tort of invasion of privacy.” The Court appears to be saying that there is a recognizable invasion of privacy tort, but that an award of damages pursuant to that tort requires that the damage caused by the invasion of privacy not be otherwise subsumed under another tort committed by the plaintiff. Perhaps not surprisingly, there is no authority cited for this novel formulation. Clearly, the Court wished to express its disapproval of the invasion of privacy by the Defendant, but in view of its finding in respect of the other causes of action, it probably would have been preferable to steer clear of making any definitive pronouncement about the privacy claim.

Lastly, one recent Ontario case dealt with invasion of privacy in the employment context. In Colwell v. Cornerstone Properties Inc.³⁶ (Colwell), the plaintiff, a long-term employee of the defendant, discovered a secret camera installed in the ceiling of her office. When she could not obtain what she felt to be a reasonable explanation for the installation of the camera, the plaintiff treated the actions of the defendants as constructive dismissal. In a somewhat confused judgment, the Court found as follows:

Was there constructive dismissal?

[22] Geoffrey England, Roderick Wood, and Innis Christie state in Employment Law in Canada, loose-leaf (Toronto: LexisNexis Butterworth’s, 2005) at para. 8.282: “At this juncture, Canadian employment standards legislation has not gone very far in safeguarding the employee’s right to privacy in the workplace.”

[23] The court accepts this as being the present state of the law.

[24] However, this appears to be a developing field of law, as is that of the existence of a possible tort of invasion of privacy.

[25] Ontario does not have any applicable privacy legislation.

[26] Collective agreement arbitrators have determined that if monitoring and surveillance in the workplace are to be allowed, the employer must have a reasonable apprehension of abuse by the employee to justify the introduction of the device (Re Doman Forest Products Ltd. v. I.W.A. Local 1-357 (1990), 13 L.A.C. (4th) 275).

[27] Further, in some of the Canadian privacy legislation, one of the factors considered is whether or not the employer exhausted all other less intrusive means of combating employee fraud before secretly invading the employee’s privacy.

[28] This noted, employment law must, as a result of the manner in which it has developed, be directed towards “contract” rather than “tort”. A determination must be made as to the implied terms, if any, of the contract of employment, at the time of entering into the contract.

[29] The Supreme Court of Canada has, since Wallace v. United Grain Growers Ltd., 1997 CanLII 332 (S.C.C.), [1997] 3 S.C.R. 701, imposed an obligation of “good faith” and “fair dealing” on an employer for events surrounding the “manner of dismissal”. Should that same obligation be an implied term of an employment contract “during the course of employment”?

[33] The cost to human dignity caused by such surveillance, coupled with the unbelievable explanation subsequently provided, left Mrs. Colwell in a position of being unable to rely upon the honesty and trustworthiness of her immediate supervisor, and amounted to more than merely “bad faith” and “unfair dealing”.

[34] Such actions and justifications poisoned the workplace as Mrs. Colwell stated in her September 17, 2004 e-mail (Exhibit 1, Tab 9).

[35] Not only had her privacy been violated, but so had her contract of employment in that all trust had evaporated.

[36] On the facts of this case, the court finds that Mrs. Colwell’s contract of employment contained an implied term at the time the contract was entered into, that each party would treat the other in good faith and fairly, throughout the existence of the contract, as well as during termination.

[37] I find Mrs. Colwell was justified in leaving this poisoned atmosphere and was, in fact, constructively dismissed.

In the result, the Court did not endorse or reject the concept of a tort of invasion of privacy, but found that the invasion of privacy by the defendant was a breach of the implied terms of the employment contract, which therefore entitled the plaintiff to terminate her employment.

There is as of yet no definitive answer to the question of the existence of a free-standing tort of invasion of privacy in Ontario. What explains the apparent disconnect between the attitudes of the appeal courts and the trial courts towards an invasion of privacy tort? In all likelihood it can reasonably be seen as reflecting the difference in perspectives that each court brings to a dispute. The trial court often will address the invasion of privacy issue early in the action at the pleadings or summary judgment stage when the facts may still be developing and it is not clear whether the plaintiff has a remedy other than the amorphous concept that their privacy has been violated. As a result, trial courts tend to look favourably upon the concept of an invasion of privacy tort, if only to keep the court’s options open as the case moves forward. On the other hand, the appellate courts generally see a case when the factual foundation is well established, and in most situations an invasion of privacy claim looks like an afterthought (if the plaintiff has other causes of action that have been successfully asserted) or an attempt to bolster an otherwise hopeless case (if all of the plaintiff’s other causes of action have been rejected).

Clearly the issue will have to be decided by the Court of Appeal in an appropriate case.

4. What Will the Future Bring?

Based on the developing Canadian case law and the developments in the U.K. and elsewhere, it can reasonably be expected that there will be increasing recognition by Canadian courts of some type of independent privacy right. There are, however, numerous difficulties with judicial creation of a new tort of invasion of privacy. The cases thus far that have opined that such a cause of action either exists, may exist or should exist have not gone very far in detailing the scope of such a tort, including what tests for liability will be applied, the type of causation that is required or the measure of damages.

As a result, it is likely that the development of a tort of invasion of privacy in Ontario will be based on statute,³⁷ will be developed slowly and incrementally by the courts, or will be based on the evolution of a known cause of action that is applied to a loose category of activities that could be referred to as “invasion of privacy.”

In addition, even if a common law right of privacy is not recognized, Canadian courts will in appropriate cases not hesitate to protect privacy.³⁸ Briefly discussed below are three developing areas of law, which might, in certain circumstances, serve as a basis for a common claim for invasion of privacy.

Breach of Confidence

The morphing of the tort of breach of confidence by the U.K. House of Lords, as described above, provides an obvious starting point for the development of a Canadian tort of misuse of private information. Canadian jurisprudence has historically allowed claims for breach of confidence where three conditions are met:

• the information must have the “necessary quality of confidence about it”.
   
• the information must have been imparted in confidence.
   
• there must be unauthorized use to the detriment of the party communicating the information.

The Supreme Court of Canada in Lac Minerals v. International Corona Resources³⁹ (Lac Minerals) held that, where a party receives private information in confidence, there is an expectation that it will not misuse that information for its own benefit,⁴⁰ and where information of a commercial value is given on a business-like basis, the recipient is regarded as carrying a heavy burden if it seeks to resist a claim that it was bound by an obligation of confidence.

It is readily apparent that business relationships, many of which involve exchanges of personal information, can be seen as creating the necessary relationship of confidence to create an obligation of confidentiality, especially where sensitive personal information is provided by one or both parties as part of the relationship. Examples of such relationships include those between insurer and insured, banker (or other financial advisor) and customer, health care practitioner and patient, consultant and client, and, of course, lawyer and client. In many circumstances, the professional obligations created by the relationship will circumscribe the use of personal information by one or both parties, but there may well be additional common law duties, which will apply in addition to, or in the absence of, such obligations. The difficult question, of course, is determining the extent of the privacy duty in the particular circumstances of each individual relationship.

However, it was only by eliminating as a condition of a claim for breach of confidence the existence of an existing confidential relationship that the U.K. courts have been able to apply breach of confidence principles to privacy issues between relative strangers in cases such as Campbell v MGN Ltd.⁴¹ The most recent Supreme Court of Canada decision involving breach of confidence allegations⁴² stuck closely to the traditional formulation of the requirements for a successful breach of confidence claim and would therefore appear to leave little room for lower courts to follow the lead of the House of Lords.

More recently, however, in G.(H.R.) v. L.(M.S.), the Supreme Court of British Columbia may have started down the path of following the lead of the House of Lords in eliminating the requirement of an existing confidential relationship. The defendant had communicated and posted on the Internet certain true factual information about his ex-wife, including the fact that she had been involved in the sex trade and had an STD. In earlier divorce proceedings,⁴³ the court had issued an injunction prohibiting the defendant from further dissemination of this information on the basis of breach of confidence, although there was little discussion of the basis upon which this order was made and no reference to the recent U.K. jurisprudence.

A second action was commenced after it was alleged that the defendant had breached the earlier injunction. Justice McEwan rejected the view expressed in the earlier divorce proceeding that there had been a breach of confidence, and instead found, relying on a recent U.K. judgment,⁴⁴ itself based on Campbell v MGN Ltd, that the court could respond in equity, not tort, to enjoin disclosures of true information in order to protect “a reasonable or legitimate “expectation of privacy””. The court did not, however, mention the “misuse of private information” phrase employed by the House of Lords. If breach of confidence is to develop in the manner it has in the U.K., it is likely that intervention by the appellate courts will be necessary.

Fiduciary Duty to Keep Information Confidential

The Supreme Court of Canada in Frame v. Smith⁴⁵ (Frame) stated that there are three characteristics to be considered in determining whether a fiduciary duty exists:

• the fiduciary has scope for the exercise of some discretion or power;
   
• the fiduciary can unilaterally exercise that power or discretion to affect the beneficiary’s interests; and
   
• the beneficiary is vulnerable to or at the mercy of the fiduciary exercising the discretion of power.

However, a fiduciary relationship may be found even though some of these characteristics are not present; conversely, the presence of such characteristics does not invariably identify the presence of a fiduciary relationship.

For example, in Haskett,⁴⁶ the court considered, inter alia, whether a credit-reporting agency owed a fiduciary duty to its consumers, and whether the credit reporting agency committed the tort of invasion of privacy. In determining that the credit reporting agency did not owe a fiduciary duty to its consumers, the court reasoned that the credit-reporting agency acted in its own self-interest in selling its services, notwithstanding the fact that the manner of providing such services was constrained by statute. The court held that the credit-reporting agency did not relinquish its self-interest and did not act on behalf of the consumer for the consumer’s benefit. The court further held that, although the credit reporting agency may owe a prima facie duty of care to the consumer, with the standards of the Ontario Consumer Reporting Act⁴⁷ informing that duty of care, such duty is not a fiduciary duty.

In light of the decision in Haskett, it is unlikely that an enterprise carrying on business in its ordinary course would have fiduciary duties imposed on it beyond any relevant statutory restrictions.

Statutory Rules, Industry Policies and Negligence

In Canada v. Saskatchewan Wheat Pool (Saskatchewan Wheat Pool),⁴⁸ the Supreme Court of Canada held that while there is no nominate tort of “statutory breach” that will create liability as a result of a government or citizen violating a statutory restriction, proof of statutory breach may be used as evidence of negligence and that the statutory formulation of the duty may afford a specific, and useful, standard of reasonable conduct.⁴⁹ The Supreme Court subsequently stated:

Legislative standards are relevant to the common law standard of care, but the two are not necessarily co-extensive. The fact that a statute prescribes or prohibits certain activities may constitute evidence of reasonable conduct in a given situation, but it does not extinguish the underlying obligation of reasonableness. … Thus, a statutory breach does not automatically give rise to civil liability; it is merely some evidence of negligence. . .

Where a statute authorizes certain activities and strictly defines the manner of performance and the precautions to be taken, it is more likely to be found that compliance with the statute constitutes reasonable care and that no additional measures are required. By contrast, where a statute is general or permits discretion as to the manner of performance, or where unusual circumstances exist which are not clearly within the scope of the statute, mere compliance is unlikely to exhaust the standard of care.⁵⁰

While potentially a powerful legal tool, the “statutory negligence” cause of action⁵¹ has been rarely used successfully since 1983.⁵² Subsequent cases have held that a statute will not create a duty of care unless explicitly stated, but statutory restrictions may create a standard of care, although the weight to be accorded to the statutory standard is in the discretion of the trial judge.⁵³

The acceptance of statutory requirements as a standard of reasonable conduct for negligence purposes has been extended to include recognized industry policies, practices, or standards, and the breach of a generally accepted industry standard may constitute evidence of negligence. For example, Zraik v. Levesque Securities Inc.⁵⁴ confirmed that failing to comply with certain professional duties and internally created guidelines could be used to establish negligence.

As a result, the privacy standards established by federal and provincial personal information protection statutes, as well as industry standards such as model privacy policies or codes, may create specific and useful benchmarks for negligence purposes of both of reasonable conduct with respect to the collection of personal information and the reasonable expectations of privacy that an individual may have.

5. Conclusion

“Invasion of privacy” remains an attractive, albeit elusive, concept for our courts. While it is tempting, when faced with a difficult fact situation or an unattractive plaintiff, to rely on a vague (and therefore flexible) tort to impose liability, the complexity surrounding privacy issues should cause Ontario courts to tread carefully. As has been demonstrated by the drafting and revision of the federal and provincial personal information privacy statutes over the past few years, it can be difficult to know where to draw the line when it comes to private information and the actions of third parties.

This is especially true in the employment context where employers and fellow employees are of necessity privy to a great deal of personal information about the individuals in the workplace. The injection of an undefined and potentially wide-ranging “right to privacy” in the workplace context could have wide ramifications and a variety of unexpected consequences. As a result, it would likely be better if the development of any invasion of privacy tort were to be undertaken by the legislature rather than by the courts on a piecemeal basis. In the absence of any legislative action, however, it is likely that the Ontario courts will continue with their ongoing fascination, and flirtation, with the idea of the tort of invasion of privacy.

* Mark Hayes, C.S. (Civil Lit. & Int. Prop.), Hayes eLaw LLP, Toronto (www.hayeselaw.com). This article is intended as a general summary of the law and is not legal advice. If you need assistance with any of the legal issues mentioned in this article, please consult a lawyer.

_________________

¹ A number of cases have recognized that harassment that invades a person’s privacy can amount to nuisance: Motherwell v. Motherwell (1976), 73 D.L.R. (3d) 62 (Alta. C.A); Provincial Partitions Inc. v. Ashcor Inplant Structures Ltd. (1993), 50 C.P.R. (3d) 497 (Ont. Gen. Div); Dawe v. Nova Collection Services (Nfld.) Ltd. (1998), 160 Nfld. & P.E.I. Rep. 266 (Nfld. Prov. Ct.).
² Burns, “The Law and Privacy: The Canadian Experience”, 54 C.B.R. 1 at 12-24; Rainaldi, Remedies in Tort (Toronto: Carswell, 2000), at 24-12.1 to 24-19; McIsaac, Sheilds & Klein, The Law of Privacy in Canada (Toronto: Carswell, 1987), at 2-53 to 2-58.1.
³ (1981), 34 O.R. (2d) 317 (Co. Ct).
⁴ (1991), 9 C.C.L.T. (2d) 141 (Ont. Gen. Div.).
⁵ (1995), 25 O.R. (3d) 57 (Ont. Sup. Ct.)
⁶ Rainaldi, supra, note 3, at 24-12.2 to 24-12.4.
⁷ [1989] No. 985 (Dist. Ct.).
⁸ For example, Tran v. Financial Debt Recovery Ltd., (2000), 193 D.L.R. (4th) 168, [2000] O.J. No. 4293 (S.C.J.) (rev’d on other grounds, [2001] O.J. No. 4103 (Div. Ct.)).
⁹ M. (A) v. Ryan (1994) 98 B.C.L.R. (2d) 1 at 19, cited in British Columbia (Assessor of Area No. 09 – Vancouver) v. Lord Realty Holdings Ltd., [1996] B.C.J. No. 2092 (B.C.C.A.).
¹⁰ Klar, Tort Law (Toronto: Carswell, 1991) at 56, cited in Haskett v. Trans Union of Canada Inc., [2001] O.J. No 4949 (S.C.J.) (“Haskett”). However, the Court in Haskett acknowledged that, more recently there has been some recognition of invasion of privacy as an embryonic tort where there is harassing behaviour or an intentional invasion of privacy: Tran v. Financial Debt Recovery Ltd., supra, note 9 and Lipiec v. Borsa (1996), 31 C.C.L.T. (2d) 294 (Ont. Gen. Div.).
¹¹ McIsaac et al., supra, note 3, at 2-55.
¹² [2001] 1 W.L.R. 2341 (Q.B.).
¹³ [2001] Q.B. 967 (C.A.).
¹⁴ [2001] 1 W.L.R. 2341 (Q.B.)
¹⁵ Supra, note 14, at 997 and 1001.
¹⁶ [2003] EWHC 786 (Ch). There were also subsequent decisions awarding damages ([2003] EWHC 2629 (Ch)) and costs ([2004] EWHC 63 (Ch)).
¹⁷ [2005] EWCA Civ 595.
¹⁸ Wainwright v. Home Office, [2003] 3 W.L.R. 1137 (H.L.)
¹⁹ [2004] UKHL 22 (6 May 2004).
²⁰ Ibid, at para. 11.
²¹ Ibid, at para. 14.
²² See Restatement of Torts 2d, article 652D.
²³ Supra, note 20, at para. 21.
²⁴ Australian Broadcasting Corporation v. Lenah Game Meats Pty. Ltd., [2001] H.C.A. 63.
²⁵ See Taylor, “Where Is There No Common Law Right of Privacy?” (2000) 26 Monash University Law Review 235; “Privacy, Injunctions and Possums: An Analysis of the High Court’s Decision in Australian Broadcasting Corporation v. Lenah Game Meats”, (2002) Melbourne University Law Review 707; Protecting Privacy, Property, and Possums: Australian Broadcasting Corporation v. Lenah Game Meats Pty. Ltd. (2002), 30 Federal Law Review 177.
²⁶ See, for example, Giller v Procopets [2004] V.S.C. 113 at 187-189; Moore-McQuillan v WorkCover/Nero Workers Compensation (SA) Ltd (Wolf Air and Dive Shop), [005] SAWCT 3; but see Grosse v Purvis [2003] QDC 151 and “Gross v Purvis: its place in the common law of privacy” (2003), 10 PLPR 66.
²⁷ Hosking v Runrting, [2004] NZCZ 34 (25 March 2004); P. v D., [2001] 2 N.Z.L.R. 591; Tobin, “Invasion of Privacy”, [2000] New Zealand Law Journal 216.
²⁸ Govind v State of Madhya Pradesh (1975), 62 A.I.R. (SC) 1378.
²⁹ 77 O.R. (3d) 621; 260 D.L.R. (4th) 145; 133 C.R.R. (2d) 292, 202 O.A.C. 278
³⁰ (2006), 53 C.C.E.L. (3d) 107 (Ont. S. C.J.)
³¹ (2006), 79 O.R. (3d) 172; 263 D.L.R. (4th) 752; 2006 CanLII 202 (On. S.C.)
³² To the contrary, see Bracken v. Vancouver Police Board et al, 2006 BCSC 189 (CanLII) at para. 28: “The common law does not include a tort of invasion of privacy”. The conclusion in Bracken may have been influenced by the existence of the B.C. Privacy Act, which provides for a limited cause of action for invasion of privacy.
³³ 2008 CanLII 2760 (ON S.C.)
³⁴ (2008) 298 D.L.R. (4th) 265; 2008 CanLII 45407 (ON S.C.)
³⁵ 92 O.R. (3d) 663; 2008 CanLII 57728 (ON S.C.)
³⁶ 2008 CanLII 66139 (ON S.C.)
³⁷ Five of Canada’s ten provinces have granted some form of statutory cause of action relating to invasions of privacy: Quebec, British Columbia, Manitoba, Saskatchewan and Newfoundland and Labrador. These statutory causes of action tend to be limited in scope, and few successful claims that have been brought have resulted in very small damages awards.
³⁸ Dyne Holdings v. Royal Insurance of Canada (1996), 34 C.C.L.I. (2d) 180 (P.E.I.S.C.)
³⁹ [1989] 2 S.C.R. 574.
⁴⁰ See also Cadbury Schweppes Inc. v. FBI Foods Ltd. (Cadbury Schweppes), [1991] 1S.C.R. 142.
⁴¹ Supra, note 20.
⁴² Cadbury Schweppes, [1991] 1S.C.R. 142.
⁴³ L. (M.S.) v. G. (H.R.), [2005] 9 W.W.R. 97; 42 B.C. L.R. (4th) 136; 2005 BCSC 488 (CanLII).
⁴⁴ CC v AB, [2006] EWHC 3083 (Q.B.)
⁴⁵ [1987] 2 S.C.R. 99, at 136.
⁴⁶ Supra, note 11.
⁴⁷ R.S.O. 1990, c. C.33.
⁴⁸ [1983] 1 S.C.R. 205.
⁴⁹ Ibid., at 244. Where there is a sanction created by the statute it may be enforced in some circumstances by civil proceedings: Whistler Cable Television Ltd. v. Ipec Canada Inc., [1993] 3 W.W.R. 247 (B.C.S.C.) and Canada Post Corporation v. G3 Worldwide (Canada) Inc., 2005 CanLII 46078 (ON S.C.).
⁵⁰ Ryan v. Victoria (City), [1999] 1 S.C.R. 201, at paras. 29 and 40.
⁵¹ Sometimes referred to as “negligent breach of statute”: see Britton v. Klippenstein, [2004] 10 W.W.R. 397 (Sask. Q. B.).
⁵² Successful damage claims in which statutory duties were used to establish negligence include Galaske v. O’Donnell, (1994), 112 D.L.R. (4th) 109 (S.C.C.); Noble v. Bhumper, (1996), 20 B.C.L.R. (3d) 244 (B.C.C.A.); Trango Holdings Ltd. v. Calwest Energy Corp., [2001] 263 A.R. 357 (Alta. Prov. Ct.); Prochazka v. Calwest Energy Corp., [2001] 264 A.R. 104 (Alta. Prov. Ct.).
⁵³ See the discussion in Chong v. Flynn, [1999] 10 W.W.R. 671 (Alta. Q. B.), at paras. 12-19.
⁵⁴ [1999] O.J. No. 2263 (S.C.J.); varied by [2001] O.J. No. 5083 (C.A.).

Amanda Lawson* and Maureen L. Murphy**

Overview

In Canada’s federal system, privacy is regulated at the federal and provincial levels of government. Although privacy legislation now exists in every province and territory in Canada, not all statutes impose a mandatory requirement to notify individuals in the event of a privacy breach. Indeed, only a few jurisdictions have included, or have proposed to include, breach notification requirements in their respective privacy statutes. For the most part, these notification obligations are included in provincial privacy legislation that is specific to health information and generally applies only to health care providers.

Ontario is currently the only jurisdiction that has in force a duty to notify affected individual(s) in circumstances where the privacy of their personal health information has been compromised. This obligation applies only to “health information custodians” (e.g. hospitals, physicians, laboratories), but is required in every case of breach. The health specific privacy legislation recently introduced or passed in almost all of the Atlantic provinces will also impose breach notification requirements when brought into force. However, notification will not be required in every case, but only where the breach will have an adverse impact on the affected individual(s).

Alberta is the first Canadian jurisdiction to pass amendments to its private sector privacy legislation to require mandatory breach notification by private sector organizations. However, notification must be made to the Privacy Commissioner, rather than the affected individual(s). Similar to the health privacy legislation in the Atlantic provinces, notification is only required where there is a real risk of significant harm to the affected individual(s).

Regardless of any statutory requirement to notify individuals of a privacy breach, organizations that collect and hold personal information in Canada will want to consider whether it is necessary to notify affected individual(s) and/or the relevant Privacy Commissioner in the event of a breach. For example, contractual obligations may require organizations to notify affected individual(s) in the case of privacy breach. Where notification is required, organizations will need to consider the appropriate method of notifying the affected individuals (e.g. by letter, face-to-face meeting, etc.).

We provide below a detailed outline of the applicable breach notification requirements across Canada.

Federal

The Personal Information Protection and Electronic Documents Act (PIPEDA)¹ is a federal privacy statute that applies to organizations that collect, use, and disclose personal information in the course of commercial activities. PIPEDA applies within a province or territory if that province or territory has not adopted "substantially similar" legislation (to date only Ontario, British Columbia, Quebec and Alberta have legislation deemed to be substantially similar to PIPEDA).

PIPEDA does not currently contain any privacy breach notification provision. Therefore, the disclosure of privacy breaches continues to be voluntary under PIPEDA. However, the Office of the Privacy Commissioner of Canada encourages organizations to examine all potential and actual breaches and decide on an appropriate response.

Alberta

In Alberta, the Personal Information Protection Act (PIPA)² applies to the collection, use, and disclosure of "personal information" by private sector organizations, whereas the Health Information Act (HIA) governs the collection, use, and disclosure of "health information" by "custodians". Currently, neither PIPA nor HIA impose mandatory breach notification requirements on organizations or custodians.

Bill 54 was recently passed in the Alberta legislature and, once proclaimed in force, will amend PIPA such that organizations will be required to notify the Office of the Information and Privacy Commissioner of Alberta where personal information under their control is lost, inappropriately accessed or disclosed.³ Notification would only be required “where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.”⁴ As such, notification would not be required in every case.

Ontario

Ontario is the only jurisdiction thus far that has in force privacy legislation that imposes a statutory obligation to notify individuals when a privacy breach occurs. In particular, Ontario’s Personal Health Information Protection Act⁵ (which governs the collection, use and disclosure of personal health information collected by “health information custodians” (e.g. hospitals, physicians, laboratories)) requires that individuals be notified at the first reasonable opportunity if their information is stolen, lost, or accessed by unauthorized persons. The provision not only imposes a mandatory notification obligation, but requires notification in every case, even if the breach will not cause any potential or actual harm to the individual.

The Information and Privacy Commissioner of Ontario has stated, however, that where personal health information is stored on a laptop or mobile computing device that is lost or stolen, the statutory notification obligation will not apply if the personal health information on the laptop was appropriately encrypted and as long as the encryption key is not also stolen.

New Brunswick

In June 2009, New Brunswick passed the Personal Health Information Privacy and Access Act (PHIPAA)⁶ , which governs the collection, use and disclosure of personal health information by “custodians” (e.g. hospitals, physicians, laboratories). Although PHIPAA has not yet been proclaimed in force, it does include a mandatory notification provision. In particular, a custodian will be required to notify at the first reasonable opportunity the individual to whom the information relates and New Brunswick’s Access to Information and Privacy Commissioner, if personal health information has been stolen, lost, or inappropriately disposed, disclosed or accessed.

Notification will not be required where the custodian reasonably believes that the breach will not have an adverse impact on the provision of health care to the individual or on the individual’s mental, physical, economic or social well-being. Notification is also not required where the breach will not lead to the identification of the individual to whom the information relates. To the extent that personal health information has been appropriately encrypted, notification would likely not be required in the event of a breach.

Nova Scotia

Bill 64, Personal Health Information Act (Bill 64), was introduced in the Nova Scotia Legislature in November 2009 and would govern the collection, use and disclosure of personal health information by custodians.⁷ To date, Bill 64 has only received first reading.

Bill 64 includes a mandatory notification provision where personal health information has been stolen, lost, or subject to unauthorized access, use, disclosure, copying or modification. Bill 64 would only require custodians to make notification to patients at the first reasonable opportunity where “there is potential for harm or embarrassment to the individual.” A custodian may request authorization from the Privacy Review Officer to provide notification to the individual at a time other than the first reasonable opportunity, or in a manner other than direct contact with the individual. Where a custodian determines on a reasonable basis that there is no potential for harm or embarrassment to the individual as a result of the breach, the custodian would not be required to notify the individual. The custodian would, however, be required to notify the Privacy Review Officer of the decision not to notify.

Newfoundland and Labrador

Although not yet in force, the Personal Health Information Act (PHIA) will apply to the collection, use and disclosure of personal health information by custodians.⁸ Pursuant to the PHIA, a custodian that has custody or control of personal health information will be required to notify an individual who is the subject of the information at the first reasonable opportunity where the information has been stolen, lost, disposed of inappropriately, or accessed by unauthorized persons. Where a custodian reasonably believes that there has been a “material breach” (as defined in the regulations), the custodian must also inform the Newfoundland and Labrador Privacy Commissioner of the breach.

Notification may not be required where the custodian reasonably believes that the breach will not have an adverse impact upon the provision of health care to the individual or on the individual’s mental, physical, economic or social well-being. Notwithstanding a custodian’s determination not to notify, the Commissioner may still recommend that the custodian, at the first reasonable opportunity, notify the individual who is the subject of the information. 

Editor’s Note: Amendments to Alberta’s Personal Information Protection Act referred to in the article came into effect on May 1, 2010.

*Amanda Lawson is an Associate in the Ottawa Office of Gowling Lafleur Henderson LLP and can be reached at amanda.lawson@gowlings.com;

**Maureen L. Murphy is a Partner in the Ottawa Office of Gowling Lafleur Henderson LLP and can be reached at maureen.murphy@gowlings.com.

_________________

¹ S.C. 2000, c. 5.
² S.A. 2003, c. P-6.5.
³ Bill 54, Personal Information Protection Amendment Act, 2009, 2d Sess., 27th Leg., Alberta, 2009 (assented to 26 Nov. 2009), comes in force upon proclamation, S.A. 2009, c50.
⁴ Ibid., cl. 25.
⁵ S.O. 2004, Chapter 3.
⁶ S.N.B. 2009, c. P-7.05 (not yet in force).
⁷ Bill 64, Personal Health Information Act, 1st Sess., 61st Gen. Ass., Nova Scotia, 2009, (First Reading: November 3, 2009).
⁸ S.N.L. 2008, c. P-7.01 (only some provisions in force).

Nicole Kutlesa*

The Office of the Privacy Commissioner of Canada (OPC) in 2009 issued 14 findings under the Personal Information Protection and Electronic Documents Act (PIPEDA), which explored a variety of issues from the collection of date of birth (DOB) and licence numbers, to the availability of the “publicly available” exception to consent, to the use of surveillance and other technology such as Deep Packet Inspection and GPS, to circumstances dealing with disclosures in legal proceedings. This article summarizes the key findings coming out of the 2009 OPC decisions. Please note this article does not summarize the key findings of the CIPPIC v. Facebook Inc. decision (PIPEDA Case Summary #2009-008), as this decision has been extensively reviewed and summarized in various publications.

Limits on the Scope of Collection

It is a basic privacy principle that an organization must limit its collection of personal information (“PI”) to only that amount and types of PI required to fulfill the identified purpose. A number of OPC findings from 2009 explore this basic principle and highlight the importance of evaluating the necessity of collection and the legitimacy of the business purpose. The key lessons learned include the following:

• The convenience of the organization must not supersede an individual’s right to privacy. Therefore, an organization must consider whether the information it collects is at a minimum necessary for the specified purpose or merely convenient (PIPEDA Case Summary #2009-14).
   
• Where the specified purpose is fraud tracking and detection, only a limited amount of PI is necessary; the collection of driver’s licence numbers is not legitimately required for these purposes nor is the collection of DOB in the absence of evidence that such collection is an effective means of deterring and detecting fraud. However, to the extent that such purpose can be established, the collection of DOB information should be limited to collection of either the day and month or the year and month of birth (PIPEDA Case Summary #2009-14).
   
• In some circumstances, DOB should not be collected at all if collection of an individual’s age is sufficient to meet the specified purpose (PIPEDA Case Summary #2009-006). Furthermore, where age verification is required, an organization need only review personal identification for this purpose; it need not record such information (PIPEDA Case Summary #2009-14).
   
• Where the specified purpose is credit checking, similarly only a limited amount of PI is necessary to fulfill this purpose (i.e., name and address); the collection of driver’s licence numbers is not legitimately required for this purpose, although DOB may be necessary for identification purposes when a common name is involved (PIPEDA Case Summary #2009-14).
   
• In circumstances where there is cause for suspicion of either actual or potential fraudulent activities, certain organizations (i.e., financial institutions) may request more PI from individuals to confirm their identity (PIPEDA Case Summary #2009-012).

Consent to Collection, Use and Disclosure

• PIPEDA provides for some very limited exceptions to the requirement to obtain consent to the collection, use or disclosure of an individual’s PI, including in circumstances where the PI is “publicly available” as defined in the Regulations to PIPEDA. The OPC’s investigation of this issue in 2009 shows that the “publicly available” exception is only available under limited circumstances:
  
   
• Collating publicly available information into aggregate marketing lists is a use of PI, but where such PI is “publicly available” information as contemplated by the exceptions in the Regulations to PIPEDA such use does not amount to the creation of new PI for which consent is required. Publicly available information that is exempt from consent when collected remains exempt when used or thereafter sold (PIPEDA Case Summary #2009-004).
   
• The exception to consent set out in section 1(e) of the Regulations to PIPEDA for “publicly available” information that appears in a publication in printed or electronic form that is available to the public and where the individual has provided the information, does not generally apply to PI posted on websites, including business websites. Therefore, consent is required in order to send unsolicited marketing communications to business e-mail addresses collected from online sources except in very limited circumstances (PIPEDA Case Summary #2009-013).
   
• If obtaining marketing lists containing personal contact information from third parties, an organization is responsible for ensuring that the original collection was obtained with the consent of the individuals contained in the list (i.e., through contractual means) (PIPEDA Case Summary #2009-013).
   
• The exception to the requirement to obtain consent to disclosure where information is “publicly available” is not available merely by virtue of the fact that the information is accessible to the public through public sources; the exception applies only in those instances where the information that was disclosed was actually collected by the disclosing party from the public source (PIPEDA Case Summary #2009-002).

Surveillance and other Tracking Technologies

The OPC has created a four-part test to assess whether the use of surveillance technology will be appropriate in a given circumstance: (i) is the technology demonstrably necessary to meet a specific need; (ii) is the technology likely to be effective in meeting the need; (ii) is the loss of privacy proportional to the benefit gained; and (iii) is there a less privacy-invasive way to achieve the stated purpose. The OPC considered the use of surveillance technology in several findings issued in 2009:

• The use of MDT (Mobile Data Terminal) and GPS (Global Positioning System) technology in a company vehicle may be acceptable provided the purpose is legitimate and appropriate consent is obtained, which will depend on the appropriateness of the purpose and the sensitivity of the information. The use of technology to improve efficiency and increase quality of service is a legitimate purpose (PIPEDA Case Summary #2009-011).
   
• The use of video surveillance in a bus terminal was found to be appropriate for the following purposes: (1) to ensure the safety and security expectations of customers and employees; (2) reduce and discourage incidents of vandalism and illegal conduct; (3) limit the potential for liability for damages due to fraud, theft or inappropriate operational procedures. Although consent from customers may be implied in relation to the use of surveillance technology in bus terminals, consent may only be implied in relation to employees with respect to purposes that meet the reasonable expectations of the employees. Therefore, where a camera set up for an appropriate purpose inadvertently collects employee PI that the employer wishes to use for employee management purposes, express consent will be required (PIPEDA Case Summary #2009-001).
   
• In the event an organization inadvertently collects PI through surveillance technology that is not related to the purpose of the surveillance, such information should be removed or made anonymous. It may be acceptable to collect PI through surveillance technology without the consent of an individual in situations where the organization has reason to believe that the collection of information about the third party is relevant to the purpose for collecting information about the subject (PIPEDA Case Summary #2009-007).
   
• The use of Deep Packet Inspection (DPI) technology raises potential privacy issues since it is possible that DPI technology can be used by organizations to peer into data packets, which can reveal content that is PI, such as email content, Voice-over-Internet Protocol (VoIP) calls, passwords, photos, etc. Consent to the use of DPI is required and can be implied when an appropriate description (i.e., to manage traffic) is contained in an organization’s written privacy policy. However, it would not be sufficient to rely on implied consent to the use of DPI technology based on a general description whereby the organization reserves the right to “monitor or investigate content”; any expanded uses of DPI technology would require the express consent of individuals (PIPEDA Case Summary #2009-010).

Disclosure in Legal Proceedings

• The exception to the requirement to obtain consent prior to disclosure of an individual’s PI set out in section 7(3)(c) of PIPEDA (i.e., if the disclosure is required to compel production of information or records) only applies to the extent that the legal writ (e.g., subpoena, warrant) expressly requires the disclosure to a named party. Otherwise, if the writ merely requires attendance at a legal proceeding and requests an individual bring with him or her certain information relating to a third party (i.e., for evidentiary purposes), such information must not be disclosed without the consent of the third party. Further, any information disclosed in compliance with a legal writ and relying on the exception under section 7(3)(c) must be limited to that which is specifically requested by the writ and only released to the party expressly named in the writ (PIPEDA Case Summary #2009-005).
   
• In defending a claim, consent to the collection, use and disclosure of PI to a third party consultant or expert may be implied for the limited purposes of defending the claim where a plaintiff or complainant initiates legal proceedings and places certain PI at issue. In these circumstances, express consent need not be obtained from the plaintiff or complainant (PIPEDA Case Summary #2009-003).

Jurisdiction

• The OPC has jurisdiction to investigate the practices of foreign organizations that collect, use and disclose the PI of Canadians (PIPEDA Case Summary #2009-009).

*Nicole Kutlesa is an Associate in the Toronto Office of Osler, Hoskin & Harcourt LLP and can be reached at 416-862-6417.

Howard Simkevitz*

Introduction

After a great deal of attention and significant lobbying at the House Committee, Bill C-27, the Electronic Commerce Protection Act (ECPA) passed third reading in the House of Commons on November 30, 2009. However, Prime Minister Stephen Harper in a much contested move, later prorogued Parliament for two months. This means that all bills that have not received royal assent die and must be restarted from the beginning when a new Parliament begins. Bill C-27 did not become law before the 2nd Session of the 40th Parliament ended on 30 December 2009. Bills in need of a restarting include the proposed anti-spam provisions and Personal Information Protection and Electronic Documents Act¹ (PIPEDA) amendments found in Bill C-27. Therefore, this legislative update should be approached with some caution as changes may occur to the proposed legislation while still in draft form.

Bill C-27 Background

Bill C-27, based on federal trade and commerce power, will apply to any person or organization (including charities and other not-for-profit organizations) and crown agencies that engage in “commercial activity” and send “commercial electronic messages”. The ECPA is viewed as an important piece of legislation in large part because spam affects the vast majority of email users resulting in untoward economic consequences and undermining confidence in electronic commerce.² The ECPA, therefore, is intended to combat spam by providing new investigative and enforcement mechanisms including administrative and civil penalties. In short, the bill sets forth requirements for express consent in advance of sending commercial electronic messages (e-mail or otherwise).³

Conversations focused on combating spam and the often nefarious means used for its distribution⁴ quickly turn to the privacy issues given that email addresses are considered to be personal information under PIPEDA.⁵ Although there are other important facets to ECPA, the scope of the following summary will be limited to two main categories within the proposed legislation: (1) anti-spam and (2) PIPEDA amendments.

Anti-Spam

Section 6 of the bill is the primary anti-spam provision. It applies to all electronic messages where it is “reasonable to conclude”⁶ that the message is commercial in nature. This may include: offers to purchase or sell products, goods or services; business opportunities; advertising or promotion of goods, services, products, etc.; and promotion of a person who does any of these commercial activities. The definition of “commercial activity” in the bill differs from that found in PIPEDA⁷ in that there need not be an expectation of profit to qualify. The bill also has a specific carve out for “…the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada...”⁸ which are not considered commercial in nature.

The main mechanism for stopping spam is consent, which must be obtained from the individual in advance of sending a message of this sort.⁹ Predictably, there are exceptions to the consent requirement. For example, no consent is required if there is a personal or family relationship.¹⁰ In addition, carve outs have been made for internet service providers who are merely enabling the transmission of the electronic message.¹¹ There is also an exception for messages which generally take place by telephone, ostensibly telemarketing activity, such as a two-way voice communication, a fax, or a voice recording.¹² This is currently the domain of the CRTC Do-Not-Call list, which may or may not require separate administration in the future as it is anticipated that technologies will increasingly converge.

As in PIPEDA, consent may also be implied in certain circumstances. However, whereas PIPEDA looks at the reasonableness and sensitivity of the information in making such a determination, section 6 of the bill provides explicit details hinging on an “existing business relationship” between the sender and recipient (e.g. purchase of a product, good or service over the prior two years; an active written contract, or an inquiry from the recipient over the prior six months). Further, where implied consent is considered to be in place, the bill provides for further clarification through regulation.¹³

The section is worded broadly to capture the entire spamming process from parties which commission and send spam through to those which permit the spam to be sent. However, application is limited to computer systems used to send, route or access the message located in Canada.¹⁴

Section 6 also mandates that the content of any such messages must include contact and unsubscribe information.¹⁵ The unsubscribe mechanism must allow for opt-out by way of email or hyperlink that remains valid for at least sixty days after the message is sent. If an unsubscribe request is made, the sender would then have ten days to comply with the request.

Anti-Phishing, Malware and Botnet Provisions

Section 7 of the bill specifies that unless there is express consent of the sender or a court order, altering the transmission data in an electronic message is prohibited. This provision is aimed at combating “man in the middle attacks” or the increasingly prevalent scam known as “phishing”, where the recipient believes the message is coming from a bona fide source and, in responding to the electronic message, may disclose personal information which can then be used for fraudulent purposes. To ensure that ISPs are able to combat this problem, an exception has been made for such enterprises if the transmission is affected for the purposes of “network management”.¹⁶

Similarly, section 8 of the bill says that a “computer program”¹⁷ may not be installed on an individual’s computer unless there is express consent of the sender or in accordance with a court order. This provision is aimed at spyware and botnets which are programs that install on a computer without the users knowledge and carry out pernicious activities.

It should also be noted that section 9 states that it is a violation to cause or procure any of the activities in sections 6 through 8.

PIPEDA Amendments¹⁸

There are several provisions which expand the Privacy Commissioner’s power and discretion to investigate complaints. The critical provision of ECPA regarding PIPEDA is section 78 which adds a new section 7.1 to that piece of legislation. This provision will narrow the application of the current section 7 of PIPEDA, which provides for collection, use and disclosure of personal information without consent. Presently, section 7 allows collection, use and disclosure without consent in limited circumstance such as where the personal information is already publicly available or for the purposes of national security.

The new section 7.1 in PIPEDA is complementary to the bill’s section 8 (mentioned above). While section 8 says “don’t install software without consent”, and there are ECPA consequences to violations, section 7.1 says “it is a privacy violation to get information from private computers if accessed illegally, including by violating ECPA section 8.”

Also, as indicated above, part of the purpose of this bill is to block malware, spyware and viruses. Thus the bill, while specifically prohibiting installing software without consent, also amends PIPEDA so that it is a privacy violation to collect information via unauthorized access to computer systems – that is, installation of software without the individuals consent¹⁹ and collection personal information off the computer without the individual’s consent.

Enforcement

The Office of the Privacy Commissioner of Canada (OPC), the Canadian Radio-television and Telecommunications Commission (CRTC) and the Competition Bureau will have shared enforcement of ECPA.²⁰ Each of the three partner agencies gets new investigation and enforcement provisions which are planned to come into effect when the bill receives Royal Assent. The rest of ECPA will take about six months before a ‘Coming into Force’ date.

In general, the enforcement provisions are intended to facilitate consultation, referral and information sharing among these agencies to improve the efficiency and effectiveness of investigations and enforcement actions. In addition, because the spam problem is global in reach and regularly implicates multiple jurisdictions, the three agencies will also have the authority to share information under written arrangements with foreign states where the information may be relevant to an investigation under a foreign law that addresses substantially similar conduct.²¹

Duties under the shared enforcement scheme will track areas of legislative expertise. On the one hand, the CRTC and the Competition Bureau will take the lead on provisions dealing with the sending and the content of electronic messages. On the other hand, the Privacy Commissioner, will have responsibility for investigating related contraventions of PIPEDA, specifically, the unauthorized compiling or supplying of lists of personal electronic addresses without consent.

Currently, under section 12(1) of PIPEDA, the Commissioner is required to investigate all complaints. Thus, under the first set of amendments, the Privacy Commissioner will now have the discretion to decline to investigate a complaint, or to discontinue a complaint investigation, including where the matter could more appropriately be dealt with by either the CRTC or the Competition Bureau.²²

As for multi-jurisdictional investigations, the addition of section 23.1(1) to PIPEDA²³ means that the Commissioner would have the authority to collaborate and exchange information with all provincial counterparts,²⁴ and with foreign counterparts who enforce laws similar to PIPEDA.²⁵

Under the proposed amendments to PIPEDA, the Commissioner may decide not to accept a complaint if she believes the complaint could more appropriately be dealt with under other available procedures. This includes procedures included under other federal or provincial laws, or grievance or review procedures. A complaint may also be refused if it is not filed within a reasonable period of time from the date when the issue arose.²⁶

The Commissioner will notify complainants and the respondent organization if he/she decides not to investigate a complaint and she will provide reasons for her decision. The Commissioner may reconsider a decision not to investigate if satisfied there are compelling reasons to do so.²⁷

As well, the ECPA provides the Commissioner with the discretion to discontinue some investigations, for example, if she is of the opinion that there is insufficient evidence to pursue the investigation or that the complaint is trivial, frivolous or vexatious or is made in bad faith.²⁸

Penalties

In section 20, ECPA sets out substantial monetary penalties for violations of sections 6 through 9. The maximum penalty for an individual is $1 million and $10 million for an organization. The limitation period is three years from the date on which the violation became known to the relevant authority.²⁹ Fines are assessed per violation and each day considered a separate violation. It should be noted that although ECPA violations are not criminal offences they³⁰ do create direct and vicarious liability, which could have implications for directors and officers of corporations.³¹ 

In addition, ECPA also creates a new private right of action in ECPA.32 A person who alleges there has been a violation of the proscribed activity set out in sections 6-9, may apply to a court of competent jurisdiction for relief. This right is also available where data mining has been used to obtain an electronic address without consent.

*Howard Simkevitz is a Senior Privacy and Information Technology Counsel with Bell Canada, Toronto.

_________________

¹ 2000, c. 5 [PIPEDA]
² Industry Canada indicates that 80% of global email traffic is spam. See Task Force on Spam, Creating a stronger safer Internet, Industry Canada May 2005 at 1 and 7 online: <http://www.ic.gc.ca/eic/site/ecic-ceac.nsf/vwapj/stopping_spam_May2005.pdf/$file/stopping_spam_May2005.pdf>.
³ See ECPA s.2 which defines “electronic address” broadly as: 

…an address used in connection with the transmission of an electronic message to.

(a) an electronic mail account;
(b) an instant messaging account;
(c) a telephone account; or
(d) any similar account.

⁴ For example, means such as phishing, malware, spyware, botnets, etc.
⁵ See Privacy Commissioner of Canada, “Fact Sheet: Protecting your Privacy on the Internet”, (July 25, 2004) online: <http://www.priv.gc.ca/fs-fi/02_05_d_13_e.cfm#003>. This includes business email addresses for which the Privacy commissioner has concluded that since a business e-mail address is not specified in Section 2, it is an individual's personal information for the purposes of the Act.
⁶ See ECPA s. 2(2) for meaning of commercial electronic message.
⁷ PIPEDA defines commercial affairs as: 

…any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

⁸ See ECPA s.2(4).
⁹ See ECPA s.10 for details on consent. It is worth noting, however, that in practice one cannot use spam in order to obtain consent.
¹⁰ See ECPA s.6(5).
¹¹ See ECPA s.6(6).
¹² See ECPA s.6(7). Importantly, this exemption seems to indicate that the intention of the provision is not to overstretch into the domain of the Do-Not-Call-List; however it should also be noted that ECPA s.64 provides for the repeal of this exemption.
¹³ See e.g. s. 63(1)(d).
¹⁴ See ECPA s.12.
¹⁵ See ECPA s. 6(2). Also see ECPA s. 11(1) for details on unsubscribe requirements.
¹⁶ See ECPA s.7(2).
¹⁷ The definition of “computer program” comes from s.342.1 in the Criminal Code stating that: “computer program means data representing instructions or statements that, when executed in a computer system, causes the computer to perform a function.”
¹⁸ See ECPA ss.78-83.
¹⁹ See ECPA s.8.
²⁰ See ECPA ss.57-59.
²¹ See ECPA s.60.
²² See ECPA s.79 and also note that the commissioner may reconsider a complaint or an investigation if there is a “compelling reason” to do so.
²³ See ECPA s.83.
²⁴ At present, collaboration with provinces is restricted to those with substantially similar legislation only.
²⁵ It should be noted that these amendments would apply to all OPC activities, not just those associate with combating spam.
²⁶ Again, see proposed wording of s.12(1) in ECPA s.79.
²⁷ See proposed wording of s.12(4).
²⁸ See proposed wording of s.12.2(1) for a full list of situations where the commissioner may discontinue an investigation.
²⁹ See ECPA s.23.
³⁰ See ECPA s.30.
³¹ See ECPA ss. 31 and 32.
³² See ECPA ss.47-55.

Norman Groot*

The Canadian Association of Private Investigators (CAPI) recently made submissions to the Office of the Privacy Commissioner of Canada (OPC) regarding its Guidance on Covert Surveillance in the Private Sector (Guidelines). CAPI and its members assert that the implementation of the Guidelines’ tone and content will serve only to encumber the private investigation of fraud. More specifically, the Guidelines fail to account for the serious nature of insurance fraud and fall short of striking an appropriate balance between privacy interests on the one hand, and the public’s interest in security, crime prevention, and law enforcement on the other.

Costs of Insurance and Employment Fraud

Insurance fraud is estimated to cost the property and casualty insurance industry $1.3 billion annually. The costs of employment related fraud have never been quantified but they are known to be significant. CAPI’s submissions to the OPC posit that there will be further cost implications as a result of the publication of the OPC’s Guidelines in their current form. For example, the OPC’s suggestion that surveillance should be used only as a “last resort,” would arguably make private investigations less effective. Furthermore, the Guidelines’ onerous provisions, such as the pixilation of third party images, would ultimately increase the costs of providing goods and services, as compliance with the Guidelines would result in higher fraud insurance premiums throughout the marketplace.

Privacy Law in Perspective

It is the view of CAPI that there is no immediate need for the OPC’s Guidelines. Internationally, Canada’s privacy regime is recognized to be one of the most comprehensive systems in the world. The Personal Information Protection and Electronic Documents Act¹ (PIPEDA) has been lauded for achieving a reasonable balance between privacy protection and the efficient management and use of information in a commercial environment. The Guidelines, however, are inconsistent with PIPEDA² and are out of step with Industry Canada’s acknowledgement of the private sector’s role in the prosecution of fraudulent conduct.³ This recognition is echoed in Correia v. Canac Kitchens, an employment fraud case, where the Court acknowledged that “...many functions that were once the exclusive domain of public police forces are now being performed by private agencies.”⁴

One of the most effective tools in a private investigator’s arsenal is covert surveillance. Further, covert surveillance can be conducted with minimal impact on legitimate expectations of personal privacy. The OPC should recognize that organizations, such as insurers and employers, generally do not want to conduct surveillance, as it adds to the cost of claims adjudication and workplace management, and have no interest in collecting sensitive information extraneous to the purpose of the investigation. Rather, the joint objective of a private investigator and his or her principal is to obtain information that would assist in determining if a fraud, breach of contract, or other contravention of the law has taken place. Canadian legal commentator Elaine Geddes states that “[a]n investigation which is discreet and unobtrusive will not be an invasion of privacy... Surveillance alone is not actionable; there must be other elements to find an invasion of privacy.”⁵

Covert Surveillance in Practice

Covert surveillance is widely considered a common investigative measure, not a measure of last resort. The Ontario courts have stated that “[t]he purpose of such surveillance is either verification or contradiction. A trial is a search for the truth and surveillance is a tool used in pursuit thereof.”⁶ Moreover, CAPI asserts that overt investigation tools such as medical examinations and interviews with neighbours are far more invasive of privacy rights than covert surveillance. In addition, the courts often prefer the objective evidence generated by surveillance, such as video and audio recordings, rather than, for example, medical evidence based predominantly on the subjective complaints of the individual under investigation to his or her doctor.

The Guidelines challenge the ability of businesses to determine the scope and methodology of their investigations. CAPI holds that insurers and employers should be permitted to exercise their discretion in selecting investigative options, including covert surveillance. The proper standard should be reasonableness under the circumstances, which would be consistent with s. 5(3) of PIPEDA.⁷

CAPI acknowledges, for example, that because of the disparity of power between an employer and employee, precautions should be implemented before the employer clandestinely observes its employee. To this end, CAPI recommends that the OPC draft separate guidelines addressing covert surveillance in public places in the employment context and in circumstances where insurers or organizations are investigating non-employment matters.

The relationship of trust that exists in the employer-employee context is absent and inapplicable in the insurance context. The trust element is also not a factor in disputes between businesses, such as disputes concerning intellectual property fraud.

The degree of impairment to privacy rights that may result from covert surveillance should be balanced against the nature of the matter being investigated, and the reasonable expectation of privacy in the place of investigation. In the more serious case of fraud, there should be less expectation of privacy in public places. Further, fraud investigations are necessarily focused and time-limited, and accordingly, the opportunity to gather information does not permit for resorting to other forms of investigation first.

Covert Surveillance in the Courts

Challenges are being made to contest the OPC’s jurisdiction to regulate covert surveillance in the private sector. For example, State Farm Insurance has made an application to the Federal Court to seek clarity on the scope of the OPC’s mandate. In the State Farm case, following an automobile collision involving one of its insured, State Farm commissioned private investigators to conduct surveillance against a party to the accident, who claimed to have suffered injury. This individual sought to obtain the tapes and surveillance reports resulting from the investigation, a disclosure request that State Farm patently refused. Subsequently, a complaint was lodged with the OPC by the party adverse in interest to State Farm.

CAPI and its members eagerly await the Federal Court’s decision on this matter, as it holds potential implications for the role of the OPC in the private investigation industry.

*Norman Groot is counsel to the Canadian Association of Special Investigation Units, the Canadian Independent Adjusters Association and the Canadian Association of Private Investigators on privacy and investigation matters. He is also the author of the first comprehensive Canadian text on law and private investigations: Canadian Law and Private Investigations, available from Irwin Law Inc.

______________
¹ Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5.
² Section 7(1) of PIPEDA states in part that:

;“…an organization may collect personal information without the knowledge or consent of the individual only if…(b) it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for the purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province…”.

Furthermore, with respect to the disclosure of personal information, s.7(3) states that:  “…an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is…(d) made on the initiative of the organization to an investigative body…”.
³ This was addressed in its recommendations for the amendment of the Regulations Amending the Regulations Specifying Investigative Bodies, P.C. 2008-933, May 15, 2008, s.1(a).
⁴ Correia v. Canac Kitchens, 2008 ONCA 506 (CanLII) at para. 44.
⁵ E.F. Geddes, “The Private Investigator and the Right to Privacy” (1989) 17 Alta. L. Rev. 256 at 299.
⁶ Murray v. Woodstock General Hospital Trust (1988), 64 O.R. (2d) 458 at 463 (H.C.J.).
⁷ Section 5(3) states that: “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.”

Abi Lewis*

UN Human Rights Council Study Points to Erosion of Privacy by State Counter-terrorism Measures

A lot on privacy has been happening lately on the international scene that those of us who don’t normally follow events beyond our borders cannot fail to take note. Privacy continues to evolve as a hot button issue, providing food for thought for practitioners, regulators, scholars, the media and international agencies.

Even the UN Human Rights Council has something to say in this age of heightened security awareness. At its 13th Session (March 2010) in Geneva, the Council discussed the Report of Martin Scheinin, the Special Rapporteur on the Promotion and Protection of Human Rights and Fundamental Freedoms while Countering Terrorism (Report).

In the 22-page Report, Mr. Scheinin calls for stronger safeguards on information sharing between governments, tougher regulations to restrict state access to information held by third parties (such as Internet service providers), and measures to prevent the use of anti-terrorism powers for other purposes.

The Report also recommends against the development and use of data-mining techniques for counter-terrorism purposes. Other recommendations include asking governments to:

• build due-process safeguards, including the right to redress, into programs that create watch lists or profiles out of surveillance data.
   
• comply with international standards for privacy and human rights protection by developing a comprehensive data protection and privacy law that ensures adequate protection for individuals in relation to the collection, use, sharing and storage of personal information.
   
• establish strong independent oversight mandates to review policies and practices to ensure that there is strong oversight of the use of intrusive surveillance techniques and the processing of personal information.

The Special Rapporteur’s central message is that governments should not necessarily see the task of countering terrorism as “a trump card which legitimates any interference with the right of privacy.” According to him, “every instance of interference needs to be subject to critical assessment”.

The Report cites Canada’s good example in addressing privacy concerns, highlighting some initiatives that serve to enhance privacy protection. For example, it commends the practice in which data-protection authorities review in advance the potential impact of proposed security measures on privacy (privacy impact assessments). It also refers to the Privacy Commissioner’s audit of Canada’s Passenger Protect Program, the secret government watch list containing the names of people who are deemed to be too dangerous to fly. The audit results are reported in the Privacy Commissioner's 2008-09 Annual Report to Parliament on the Privacy Act.

Jennifer Stoddart’s Take on the Future of Privacy Regulation

What is a ‘village elder’ supposed to do?

Privacy Commissioner of Canada Jennifer Stoddart, having dubbed herself a ‘village elder’, took a long view of the evolving privacy paradigm and offered her own ‘verdict’ of what the future holds out for privacy regulation.

In her address entitled The Future of Privacy Regulation on February 10, 2010 at the 11th Annual Privacy and Security Conference in Victoria, British Columbia, the Commissioner gave a scintillating overview of the changes in social media and networking that have spawned as a result of information technology. Said she:

“When I took over as Privacy Commissioner, Facebook didn’t exist. Neither did Twitter, Flicker, YouTube, Google Street View, Foursquare, iPods and all the many novel ways in which people now routinely connect with the rest of the world. 

“And it’s not just technology that’s different; it’s other drivers of change as well. Like real-time globalization, for instance, and the instantaneous worldwide flow of data. 

“It’s the way people embrace and respond to technology. Their expectations of what the technology can do for them, and at what cost. Is it desirable, for example, to buy greater convenience at the cost of less privacy?”

Her take on challenges of technology, globalized data flows and social change on privacy protection point to one thing: privacy as a concept, norm and value will remain very much relevant in public discourse in the foreseeable future.

On the impact of technology, she said:

“First and foremost, there is the sheer scope of the Internet, and the myriad ways in which we can now interact, shop, learn, and pretty much live online. 

“Another consequence is that our lives have become open books. Even if we don’t advertise our whereabouts on Google Latitude, surveillance cameras and GPS-enabled cellphones are able to capture our movements. 

“Even if we don’t broadcast our latest purchases on Blippy.com, our online browsing habits are being quietly monitored and mined for their value to merchants and marketers.”

On the evolving social norms about notions of privacy and personal information, she said:

“Most people today want to be online, to a greater or lesser extent. Ten years ago you might have asked somebody, “Do you have e-mail?” Today, it’s become practically inconceivable that someone would not be online. 

“But where we’re seeing differences is in what people do online – the extent to which they are prepared to share their personal information. 

“We want to be careful about generalizing, but I think it’s fair to say that young people in particular appear to have a more liberal concept of privacy.”

Ms. Stoddart then took issue with those who believe that the readiness of young people to embrace a more liberal concept of privacy signals a death knell for the relevance of privacy. She said:

“Regardless of how people choose to act, they maintain a powerful belief that the choice must be theirs. Increasingly, the disclosure of personal information boils down to questions of knowledge and consent. 
 
“Look at what happens, for instance, when a social networking site makes a change to its privacy policy. Its users are all over it. 

“They’re hard to ignore, and companies are wise to listen.”

Her solutions include improving laws, processes and policies to keep pace with the evolving world of information sharing as well as developing regulatory tools that are more responsive to meet future challenges of safeguarding privacy.

Collaboration of data-protection authorities within Canada and in other countries, she pointed out, would become more important to regulators in their task of ensuring that companies and other organizations comply with the laws on privacy.

Some may see the address as Ms. Stoddart’s swan song since she alluded to her tenure as Commissioner coming to an end later this year. What is clear is that she has provided a useful insight into emerging privacy issues and the challenge to regulators of keeping on top of things so that privacy is not unduly eroded in the changing information landscape.

Privacy Regulators and Google

The Privacy Commissioner of Canada in pursuit of international collaboration on data-protection has teamed up with regulators from France, Germany, Ireland, Israel, Italy, Netherlands, New Zealand, Spain and the UK to urge Google to ensure that privacy and data protection requirements are met before the launch of future products.

In a letter of April 19, 2010 to the Google Inc. Chief Executive Officer that the Commissioner and her counterparts in nine other countries signed, they noted that although Google had addressed the potential privacy implications of the Google Buzz social networking application that was rolled out recently, Google as a leader in the online world ought to set an example for others to follow.
They called on all organizations entrusted with people’s personal information to incorporate fundamental privacy principles directly into the design of new online services.

Kudos for Canada Border Services Agency, Transport Canada

At another forum, this time at a briefing on April 29, 2010 of the House of Commons Standing Committee on Public Safety and National Security on the Passenger Protect Program and the US No-Fly List, Assistant Privacy Commissioner of Canada Chantal Bernier reiterated the message: “effectiveness of security and protection of privacy are not at odds”.

Ms. Bernier nicely summed up the criteria that should guide governments in limiting privacy in the interest of security as follows:

• The right to privacy is a fundamental right that cannot be infringed unless it is demonstrably necessary for the public good.
   
• It follows that the collection of personal information can only occur when it is proven necessary and it must be proportionate to that necessity.
   
• That necessity must be assessed on an on-going basis by verifying that the collection of personal information is indeed effective and necessary in relation to the identified necessity.
   
• It must also be demonstrated that there are no less privacy invasive alternatives to meet that necessity.

In her Statement to the Committee, she expressed satisfaction to the changes made to the Advanced Passenger Information Program and Passenger Name Record and Passenger Protect by Canada Border Services Agency and Transport Canada in response to concerns from the Office of the Privacy Commissioner of Canada.

Again, this is another example of how Canadian public agencies are trying to deal with the thorny issue of privacy and state security. No wonder, the international community is beginning to take note of Canada’s record on privacy protection.

OECD Privacy Guidelines 30th Anniversary

This year the Organization for Economic Cooperation and Development is marking the 30th anniversary of its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which were the first statement of the core information privacy principles.

The OECD Guidelines have proven useful over the years, serving as the model for developing privacy instruments around the world including Canada’s Personal Information Protection and Electronic Documents Act.

For those interested in international events, a conference on the evolving privacy landscape will be held in Jerusalem, Israel on October 25 and 26 as part of the activities marking the anniversary. The conference will be hosted by the Israeli Law, Information and Technology Authority, and held back-to-back with the 32nd International Conference of Data Protection and Privacy Commissioners.

In March, an OECD Roundtable on the impact of the Privacy Guidelines was held in Paris, France.

2009 Annual Report of the Ontario Information and Privacy Commissioner

Ontario Information and Privacy Commissioner Ann Cavoukian has released the yearly scorecard of the activities of her Office. The 2009 Annual Report covers key issues such as accountability in juror vetting, safeguarding personal information, privacy by design and access by design.

Of note is the Commissioner’s renewed call that the government extend the application of the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act to cover more organizations that receive substantial public funds in order to ensure transparency and accountability.

In 2004, the Commissioner identified universities, hospitals and Children’s Aid Societies (CAS) as organizations that relied extensively on taxpayer funding but were not covered by the provincial or municipal Act. While acknowledging that the provincial Act now applies to universities, she is asking the government to bring hospitals and CAS under the legislation.

The Commissioner also called for amendments to the Personal Health Information Protection Act to protect personal health records that are abandoned by health professionals.

Health Information and Encryption

Ontario Information and Privacy Commissioner Ann Cavoukian has directed Durham Region’s Medical Officer of Health to ensure that all personal health information stored on mobile devices such as laptops and memory sticks is strongly encrypted.

The Commissioner launched an investigation under the Personal Health Information Protection Act (PHIPA) into the loss of a USB key by a public health nurse last December that contained personal information of about 84,000 people who had attended H1N1 immunization clinics in Durham Region. Following the investigation, the Commissioner issued Order HO-007 on January 14, 2010 to address the privacy breach.

Noting that the privacy breach could have been prevented since encryption technology is available, the Commissioner used the occasion to send a message to service providers: “She expects all personal health information stored on any type of mobile device in Ontario to be protected with strong encryption.”

The Commissioner further said: “While I accept that custodians may not be able to totally eliminate the loss or theft of mobile devices, what I cannot accept is that the information contained therein is not encrypted. Unauthorized access to health information stored on these devices that happen to be lost or stolen may clearly be prevented through the use of encryption technology. However, despite strong incentives to avoid privacy breaches and the availability of encryption to prevent such breaches, unencrypted mobile devices continued to be used. This is both distressing and completely unacceptable.”

In Order HO-007, the Commissioner reminded health information custodians of their obligation under the PHIPA, with specific focus on the issues raised in Order H0-004 issued in 2007 that also dealt with the loss of unencrypted personal health information.

Tough language it may seem; but it tends to show the strong public interest that privacy breaches generate especially in the area of heath information, which is sensitive.

Unusual Lawsuit

An unusual lawsuit, some may say and this may explain why it has garnered media attention.

Remember Tiger Woods’ indiscretions and cellphone messages. Cellphone, the ever pervasive and ubiquitous communication device, has sometimes caused havoc in the affairs of men and women.

On May 17, 2010, the Toronto Star published a story entitled “Toronto woman sues Rogers after her affair is exposed”. Metro Toronto picked the news from Torstar News Service and ran the same story on the front page of its May 17 issue with the following headline – “Hookup unveiled – woman suing Rogers after affair discovered by hubby”.

The woman, Gabriella Nagy, has alleged in a statement of claim filed against Rogers Wireless Inc. that the company’s practice of combining charges to clients for various services (cable TV, Internet, home phone and cellphone) into one billing was responsible for the break-up of her marriage. She is suing Rogers for $600,000 for alleged invasion of privacy and breach of contract.

According to the Star, Rogers in its statement of defence has denied the plaintiff’s allegations, saying that “apart from administrative efficiency, doing so (combining the billing) would result in savings to the plaintiff and her husband for the services.”

This case seems to raise potential privacy implications of the popular practice adopted by service providers of bundling services, especially in the telecommunication industry. While there is administrative efficiency and cost saving in bundling telecommunication services, concerns about privacy may become a significant factor that service providers and users have to take into account.
 

Credit Checks and Privacy: A Recent Alberta Finding

Can an employer that is concerned about reducing employee theft and fraud implement a policy of conducting pre-hiring credit checks?

An investigation report of the Alberta Information and Privacy Commissioner suggests that privacy pitfalls await an employer taking such step without determining whether collection of personal credit information from a potential employee is reasonably required to assess the person’s ability to perform the job.

The complainant, who was interviewed by Mark’s Work Wearhouse for a position as a sales associate and asked to submit to security clearance check and credit check, later found out that he was turned down on account of information about his credit rating.

In Investigation Report P2010-IR-001 into the Mark’s Work Wearhouse’ policy on conducting pre-hiring credit checks, the Commissioner said that it was not necessary to collect the complainant’s personal credit information for the purpose of assessing his suitability for the job. The Commissioner found that Mark’s Work Wearhouse did not meet the requirements of section 11(1) of Alberta’s Personal Information Protection Act that requires organizations to collect personal information only for the purposes that are reasonable.

The Commissioner recommended that Mark’s Work Wearhouse “cease collecting personal credit information of sales associate applicants as part of the organization’s hiring process.”

The Report noted that Mark’s Work Wearhouse has implemented the Commissioner’s recommendation.
 

*Abi Lewis is a Counsel at the Ontario Ministry of the Attorney General, Social Justice Programs and Policy Division.