Posted on March 5, 2013
David Elder -
In an apparent attempt to apply pressure to the government to amend the federal private sector privacy law, New Democrat Digital Issues Critic Charmaine Borg recently introduced a private members bill that would introduce mandatory data breach reporting and provide the Privacy Commissioner of Canada with direct enforcement powers.
The government’s own bill to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in September of 2011, but Bill C-12, as the bill is known, has not moved forward since that time.
Continue Reading...
Posted on October 25, 2012
David Elder -
In an important constitutional case, the Supreme Court of Canada has granted leave to hear an appeal from a decision that found that the application of privacy law to the videotaping of individuals crossing picket lines infringed the Canadian Charter of Rights and Freedoms.
As we noted in a previous post, the judgment in question considered the activities of a union that had videotaped picketing activity during a strike at an Edmonton casino. Like other Canadian private sector privacy laws, Alberta’s Personal Information Protection Act (PIPA), generally requires the consent of individuals for the collection, use and disclosure of their personal information, including videotaped images of identifiable individuals. The union, which did not obtain such consent, videotaped and photographed the picket lines in order to publicize the images of individuals crossing the lines.
Continue Reading...
Posted on October 24, 2012
The Federal government has expanded the list of organizations that are exempt from the Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that similar provincial legislation sufficiently protects the relevant personal information. As of October 10, 2012, health care organizations subject to Newfoundland and Labrador’s Personal Health Information Act (PHIA) are exempt from PIPEDA because provincial legislation is “substantially similar”.
Newfoundland and Labrador is now the sixth province to be granted an exemption from some or all of Part I of PIPEDA, and the third to enact exempted personal health information legislation.
Continue Reading...
Posted on October 22, 2012
David Elder -
Employees in Canada retain some reasonable expectation of privacy in personal data stored on an employer-supplied laptop, even where workplace policies and practices provide that all information stored or generated on such devices is the property of the employer, says the Supreme Court of Canada. However, the implications of this criminal law case remain unclear for private sector employers.
In its judgement in R. v. Cole, on appeal from a decision of the Ontario Court of Appeal, the Court considered the case of an Ontario high-school teacher, on whose school board-supplied laptop a school technician found nude images of a student. The technician copied the photos in question onto a disk for the school’s principal, who seized the laptop and informed police, who took possession of the laptop and disks, then examined their contents. The police did not obtain a warrant before seizing the equipment or examining the contents.
Continue Reading...
Posted on October 10, 2012
Anti-bullying advocates will applaud a recent Supreme Court of Canada decision that paves the way to give young victims of online bullying stronger legal rights. The case of A.B. v Bragg Communications Inc. is notable as it directly pits society’s interest in the protection of children from cyberbullying against freedom of the press and the open court principle.
The facts of the case are straightforward. A 15-year old Nova Scotia girl, identified only as A.B., discovered that someone had created a phony Facebook profile using her name and picture. The picture was accompanied by some unwelcomed commentary about the girl’s appearance along with sexually explicit references. A.B. applied to a Nova Scotia court for an order requiring Eastlink, an internet service provider, to disclose the identity of the person(s) standing behind the IP address used to publish the phony Facebook profile. In order to protect her privacy, A.B. also asked the court for permission to make her application anonymously and for a publication ban on the contents of the fake Facebook profile. Her request to proceed anonymously and under a publication ban were denied by the trial judge and the Court of Appeal but those decisions were partially overturned in this case by the Supreme Court of Canada.
Continue Reading...
Posted on October 3, 2012
Research by the Office of the Privacy Commissioner of Canada found that leading websites in Canada are providing registered users’ personal information to third-party websites without their users’ knowledge or consent. The third-party recipients include advertising, marketing, social networking and web analytics websites.
The study found that one out of four websites in the sample regularly disclosed its users’ personal information to third-parties. According to the Privacy Commissioner, the findings raise significant questions about compliance with privacy laws in the online world.
Posted on June 7, 2012
As we discussed in a blog post last year, the Alberta Court of Queen’s Bench recently struck down provisions of Alberta’s Personal Information Protection Act (PIPA) that were found to infringe the right to free expression under the Charter. The case considered the activities of a union that had videotaped picketing at the West Edmonton Mall casino in order to publicize images of individuals that crossed the picket lines. At trial, the union had relied on a number of arguments to justify its activities, including the fact that PIPA does not apply to personal information collected for journalistic purposes, as well as the exemption from the consent requirement with regards to personal information that is “publicly available”. Ultimately, the trial court found the provisions in question to be too narrow and, thus, unconstitutional. In a recent decision of the Alberta Court of Appeal, Justice Slatter agreed that the application of PIPA to the union’s activities infringed the Charter.
In its constitutional analysis, the Court of Appeal concurred with the trial court’s finding that the picket line and its related videotape recordings were an expressive activity. Meanwhile, in considering the potential justifications for infringement, the Court of Appeal found there to be a pressing and substantial concern in the potential misuse of personal information, as well as a rational connection between the PIPA’s provisions limiting the use of personal information and the objectives of the Act.
Continue Reading...
Posted on May 2, 2012
David Elder & Robert Mysicka -
A recent decision by the British Columbia Supreme Court has led to yet another case of “Facebook Remorse” for a Plaintiff with an active social media presence.
The case also further confirms the trend in Canadian civil courts to require disclosure of “private” social media postings where relevant to the case at hand.
In Fric v. Gersham the Plaintiff, who is a recent law school graduate, is claiming damages resulting from injuries suffered in a motor vehicle collision that occurred in 2008. The action, which is scheduled to proceed to trial in May, 2013, involves claims by the Plaintiff of loss and damages, including pain and suffering, loss of amenities of life, past and future loss of earning capacity, and other damages alleged to have been caused by the Defendants, who were involved in the motor vehicle accident with the Plaintiff.
Continue Reading...
Posted on March 9, 2012
In an increasingly digital age, data protection has become a key component of business risk management. Companies in every industry are understandably keen to protect their trade secrets, clients list and other company data. To that end, companies routinely include confidentiality and related provisions in employment contracts, and maintain policies and procedures regarding the protection of business-related information within and outside the workplace. Further, employers now more commonly monitor employees’ use of electronic technology, such as email.
Recent decisions from the U.S. and Canada, however, demonstrate that there remains a potentially uncertain balance between the ability for law enforcement to investigate potential crimes and the rights of individuals and employees.
Continue Reading...
Posted on January 30, 2012
Effective March 1, 2012, Google will put in place a unified privacy policy that will replace over 60 different privacy policies across Google and cover multiple products and features. The move, while presented as an upgrade in order to “create one beautifully simple and intuitive experience across Google”, is necessitated by Google’s new plan to link user data collected across 60 Google products such as Gmail, YouTube and web searches. The data merge is scheduled to take effect on March 1, 2012 and users will not be allowed to opt out of the change. The merger of data collected across Google’s email, video and social-networking services will allow Google to target search results and advertising.
Many critics have raised privacy concerns over Google’s new data merge practices and privacy policy, including some U.S. lawmakers. As internet companies try to gleam more information from their users, they are likely to be met with increased scrutiny from regulators who are concerned about consumer privacy. Some Google senior executives believe the regulators have gone too far in proposing certain measures which could “break the internet”. At the World Economic Forum in Davos, Google’s chief legal officer raised concerns about the EU’s proposed privacy directive requiring explicit user consent to be obtained by website operators for the use of cookies.
Posted on January 27, 2012
Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recently issued a press release warning consumers that new technology has the potential to build individually-detailed profiles based on IP addresses, social insurance numbers and even license plates. Her comments highlight a growing trend that the anonymity of personal information is becoming increasingly scarce, especially for online consumers.
The Commissioner’s comments are timely considering that Data Privacy Day is January 28, 2012, a day when awareness of online privacy and data protection is brought to the forefront. Recognized in Canada, the United States and most of Europe, Data Privacy Day is organized by the National Cyber Security Alliance, who seeks to educate the general public about data privacy and to encourage dialogue about data protection among consumers, businesses and governments.
Posted on January 20, 2012
On January 18, for the first time, the Ontario Court of Appeal in Jones v. Tsige explicitly recognized the tort of invasion of personal privacy. In July 2009, Sandra Jones discovered that her co-worker, Winnie Tsige, had been surreptitiously viewing her bank records for four years. Although Jones did not know or directly work with Tsige, Tsige and Jones’ ex-husband were in a common-law relationship. As an employee of the Bank of Montreal (where Jones maintained her primary bank account), Tsige had full access to Jones’ banking information. Contrary to the bank’s policy, Tsige accessed Jones’ banking records at least 174 times. Sharpe J.A. allowed the appeal, ruled that Tsige committed the tort of “intrusion upon seclusion” and granted Jones $10,000 in damages.
Continue Reading...
Posted on January 16, 2012
The arrival of 2012 marked the end of a year filled with numerous developments in technology and IP law. Taking a cue from the Canadian Communications Law blog, we’ve decided that this would be an excellent time to reflect on the past year and review some of its more notable developments. To that end, we’ve put together a list of the top 10 technology and IP law developments from the past year.
Without further ado, here are our picks for the top 10:
- Court of Appeal recognizes reasonable expectation of privacy in contents of work computer - In R. v. Cole, a teacher discovered with nude images of a student on his work laptop was found by the Ontario Court of Appeal to have a reasonable expectation of privacy with respect to his personal files on that laptop.
- No liability for defamation for basic hyperlinks, says Supreme Court - In a decision that came as a relief to bloggers, tweeters, webpage owners and other providers and hosts of internet content, the Supreme Court of Canada clarified in Crookes v. Newton that merely providing hyperlinks to defamatory content will not lead to liability for defamation.
Continue Reading...
Posted on December 22, 2011
More than 10 years after the introduction of federal private sector privacy legislation in Canada, damage awards for breaches of the law have been few and far between -- and where such awards have been made, the dollar amounts awarded have been modest.
In light of the sometimes confusing, and even contradictory judgments to date, there is also considerable uncertainty as to when such damages might be awarded, and what evidentiary test a complainant might have to meet.
In Panning for gold in the mud: the availability of privacy damages under PIPEDA, in the December 2011 edition of the Canadian Privacy Law Review, David Elder of our Privacy and Data Protection Group, attempts to knit together the existing case law into a coherent analytic framework for the availability of privacy damages in Canada.
Article reproduced with permission of the publisher from Canadian Privacy Law Review, Vol. 9, No. 1, December 2011.
Posted on December 1, 2011
Late last week, the Supreme Court of Canada (SCC) passed on a chance to shed some light on what it considers to be “reasonable” collection of personal information. It dismissed the Alberta Information and Privacy Commission’s appeal of an Alberta Court of Appeal decision that found “reasonable” collection of personal information to not necessary mean an organization must employ the “best” or the “least intrusive” methods.
As we noted in an earlier post, the Alberta Court of Appeal overturned the Commissioner’s ruling and stated that Leon’s Furniture Limited was justified in collecting driver’s licence and licence plate information from customers picking up furniture. Leon’s argued that the observance of such policy was for fraud prevention and deterrence purposes only and that it assisted police in any ensuing fraud investigations. The Commissioner claimed that Leon’s policy was a violation of Alberta’s Personal Information Protection Act (PIPA or Act), as collection of the disputed information was not “reasonable” under section 11 of the Act and it constituted a “condition of supplying a product or service” under section 7(2) of the Act. Both claims were rejected.
Continue Reading...
Posted on November 9, 2011
David Elder -
A recently publicized privacy breach by a Canada Revenue Agency (CRA) employee underlines the need for all organizations to impose strict controls and safeguards respecting the ability of employees to remove sensitive data from the workplace.
In a widely reported story, it was recently discovered, through a request under the Access to Information Act, that confidential material respecting Canadian taxpayers, contained in hundreds of documents and tens of thousands of email messages sent and received by a CRA employee, were downloaded in unencrypted form to CDs taken home and retained by a CRA auditor, at least some of which were subsequently copied to a third party’s laptop. While the CDs have been recovered, the laptop – thought to contain the tax files of at least 2,700 Canadians – is still missing.
Continue Reading...
Posted on September 26, 2011
David Elder -
When in Rome, do as the Romans do. Similarly, when doing business in Canada, do as Canadian privacy law requires.
That is the lesson learned by a foreign-based airline following a finding by the Office of the Privacy Commissioner (OPC) of Canada that the carrier had violated Canadian privacy law, even though the company operates in compliance with European privacy requirements. The decision further confirms the fact that foreign businesses that operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.
Continue Reading...
Posted on September 19, 2011
Paul Karvanis and Joel Freudman -
A recent decision by the Court of Queen’s Bench of Alberta to strike down provisions in Alberta’s Personal Information Protection Act (PIPA) could have ramifications nationwide as the offending provisions are mirrored in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). In United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner) the Court declared several narrow exemptions in the Alberta legislation to be unconstitutional.
Continue Reading...
Posted on September 8, 2011
The Canadian Privacy Commissioner released guidelines for lawyers seeking to understand the Personal Information Protection and Electronic Documents Act (PIPEDA) at the Canadian Bar Association convention on August 16, 2011. Entitled “PIPEDA and Your Practice: A Privacy Handbook for Lawyers”, it provides an overview of PIPEDA requirements as they apply to lawyers and law firms in private practice as well as corporate counsel.
Whereas lawyers already must keep client information confidential, PIPEDA introduced additional requirements that are highlighted in the handbook. For example, conducting a credit check on a potential client requires prior informed consent, and the Commissioner recommends similarly obtaining informed consent for all information collected for litigation purposes (despite this latter point still not clear in the case law). Also, at a client’s request, information about the client must be provided within 30 days at no charge, and irrespective of whether or not a solicitor’s lien exists.
The Commissioner can make non-binding recommendations either following a complaint or on its own initiative, and the complainant or Commissioner may subsequently proceed to Federal Court for enforcement. The Commissioner’s website offers lawyers a Self-Assessment Tool to promote compliance with PIPEDA.
Posted on August 26, 2011
David Elder -
In a problematic judgement, the Federal Court of Canada has awarded damages against a bank for the wrongful disclosure by one of its employees of account information in response to a subpoena.
This is only the second case in which the Court has awarded damages for non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA); and like the first damage award under the statute, the amount awarded was minimal. The case is also perplexing, because it seems to contradict the reasoning in an earlier decision by the same court, which established that to be eligible for an award of damages, the alleged injury must result directly from a breach of the Act.
Continue Reading...
Posted on July 26, 2011
David Elder -
In the latest chapter in a $6 million defamation suit by a former mayor, an Ontario court has refused to order the disclosure of the identities of three individuals who used pseudonyms to post to an online forum.
The case of Morris v. Johnson should provide some comfort to those who post commentary anonymously, while serving as a cautionary tale to plaintiffs seeking to get behind the pseudonyms of their critics and detractors.
Continue Reading...
Posted on July 19, 2011
Late last month, the U.S. District for the Northern District of California denied Google’s motion to dismiss a putative class action alleging that the company accessed and used data transmitted through unencrypted Wi-Fi signals (Re Google Inc. Street View Electronic Communications Litigation). Google acquired the data through its Google Street View program, which relied on specially designed Google Street View vehicles to acquire 360° panoramic images of streets across the United States, Canada and other countries. These Google Street View vehicles also featured advanced technology that allowed them to access and store data transmitted through unencrypted Wi-Fi signals.
Ultimately, Google’s motion to dismiss the Plaintiffs’ claims that it violated the federal Wiretap Act was denied. Of particular interest was the court’s interpretation of the statute with respect to Wi-Fi signals. While the Wiretap Act prohibits intentionally intercepting certain electronic communication, the statute provides an exemption for communications that are “readily accessible to the general public”. In considering the applicable provision, which predates the ubiquity of wireless internet technology, the Court compared Wi-Fi technology to that of cellular phones. Specifically, while both use radio waves to transmit communication, both are intended to be private. Ultimately, therefore, the Court found that the plaintiffs’ pleading supported a claim that communications sent via Wi-Fi technology were not “readily accessible to the general public”.
Google quickly indicated that it will appeal the ruling. The widespread use of unencrypted Wi-Fi signals ensures that this case will be closely watched as it progresses.
Posted on June 24, 2011
On April 11, 2011, the Ministry of Communications and Information Technology (Department of Information Technology), Government of India (IT Ministry), issued the following rules regarding the protection of personal information:
- Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
- Information Technology (Electronic service delivery) Rules, 2011
- Information Technology (Intermediaries guidelines) Rules, 2011
(collectively, the Privacy Rules).
The new Privacy Rules represent a dramatic change in India’s policy on protection of personal information, which previously regulated only data security and hacking but not privacy. For more information on the Privacy Rules and discussions of their potential impact on outsourcing transactions, please visit publications posted by Morgan Lewis, Gibson Dunn and DLA Piper.
Posted on June 16, 2011
Alberta’s Information and Privacy Commissioner has applied for leave to appeal to the Supreme Court of Canada from the Alberta Court of Appeal’s decision in Leon’s Furniture v. The Information and Privacy Commissioner of Alberta. In the case, a majority of the Court of Appeal held that an organization’s methods of collecting personal information must only be reasonable and need not be the least intrusive method.
Continue Reading...
Posted on May 27, 2011
David Elder -
It is an unfortunate truism that we can often learn from the misfortunes of others, and this is certainly true with respect to privacy breaches.
Beyond the need for increasingly robust security safeguards, recent media coverage of a number of high-profile privacy breaches offer another ready lesson for corporations that collect and store personal information: information that is not retained cannot be the subject of a data breach.
In one recent breach, the victim of a possible data theft noted that records provided to a vendor were apparently not destroyed, although the outsourcing organization believed that they had been. It was these records that were the subject of data theft by an unknown hacker. In another recent breach case, information was stolen from an internal database of customer information that was no longer being used.
Continue Reading...
Posted on April 4, 2011
David Elder -
Legislative amendments proclaimed in force last week mean that the Privacy Commissioner of Canada may now be more selective about the complaints her office decides to investigate.
The amendments in question, made to the Personal Information Protection and Electronic Documents Act (PIPEDA), were actually contained in Bill C-28, Canada’s Anti-Spam Legislation, which received Royal Assent last December. Although most of that statute is not yet in force (and, as we noted on our Canadian Communications Law blog, may be delayed in coming into force by the federal election call), last week the Governor in Council proclaimed in force some of the consequential amendments in that bill that affect PIPEDA, leaving for proclamation at a later date those PIPEDA amendments that coordinate with new obligations in the Anti-Spam law itself.
Continue Reading...
Posted on April 1, 2011
The Ontario Superior Court has held that there is no common law tort of invasion of privacy in Ontario (Jones v. Tsige, 2011 ONSC 1475) . In coming to its decision, the Court emphasized the existence of statutory schemes that govern privacy issues.
The plaintiff claimed that the defendant, her co-worker at a bank, had committed the tort of invasion of privacy by accessing the plaintiff’s private banking records without authorization.
The case law on this issue was mixed as some Ontario court decisions had accepted the existence of this type of tort and others had not.
Continue Reading...
Posted on March 29, 2011
In a judgment released last week, the Ontario Court of Appeal held that the appellant teacher had a reasonable expectation of privacy with respect to personal files stored on his work laptop. Specifically, R. v. Cole involved the discovery of nude images of a student on the appellant's laptop by the school's computer technician. The technician copied the images onto a disk for the school's principal and subsequently copied temporary internet files found in the laptop's browsing history onto another disk.
According to the Court,
[a]lthough this was a work computer owned by the school board and issued for employment purposes with access to the school network, the school board gave the teachers possession of the laptops, explicit permission to use the laptops for personal use and permission to take the computers home on evenings, weekends and summer vacation. The teachers used their computers for personal use, they employed passwords to exclude others from their laptops, and they stored personal information on their hard drives. There was no clear and unambiguous policy to monitor, search or police the teachers’ use of their laptops.
Continue Reading...
Posted on January 25, 2011
Yesterday, Facebook reached an agreement with German data protection officials in order to end a dispute over the social networking site’s “Friend Finder” application. Hamburg’s Data Protection Authority received complaints about the feature, which allows Facebook to send unsolicited email invitations to non-members through current members’ address books. The agreement comes as a response to legal proceedings launched by German officials last year against Facebook for accessing and saving the private data of non-members without their permission. For more information, see this article from the Globe and Mail.
Posted on December 22, 2010
David Elder -
This week, the Federal Court of Canada made its first damage award ever under the 10 year old Personal Information Protection and Electronic Documents Act (PIPEDA), awarding damages to a businessman in connection with the provision of inaccurate credit information by a credit reporting agency -- despite a failure to prove actual losses arising from the breach.
While the quantum of the damages awarded in Nammo v. Transunion of Canada Inc., was a modest $5,000 plus costs, the case establishes several important principles respecting the interpretation of PIPEDA and the availability of damages for humiliation stemming from a violation of the Act.
Continue Reading...
Posted on December 2, 2010
According to two recent Federal Court decisions, privacy – though protected by the law - is not worth that much money when it comes to actual damage awards.
While most privacy complaints are resolved through the Office of the Privacy Commissioner of Canada, some cases are litigated in court with plaintiffs hoping to receive monetary compensation for privacy violations. Two such cases are Randall v. Nubodys Fitness Centres, 2010 FC 681 (CanLII) and Stevens v. SNF Maritime Metal Inc. 2010 FC 1137 (CanLII).
Continue Reading...
Posted on November 26, 2010
David Elder -
This week, the Supreme Court of Canada released a decision that has important implications for the interpretation and application of section 8 of the Canadian Charter of Rights and Freedoms, as well as for privacy law generally. The problematic decision, which includes two sets of reasons concurring in the result and a strong dissent by the Chief Justice and Justice Fish, seems likely to provoke significant debate and potential uncertainty in its application.
In R. v. Gomboc, 2010 SCC 55, the Court considered the limits on the ability of law enforcement to use as evidence subscriber records obtained without a warrant from third party service providers, and more broadly, offered guidance as to what constitutes a reasonable expectation of privacy with respect to such records.
Continue Reading...
Posted on November 5, 2010
Yesterday, the European Commission released a draft strategy for the protection of individuals’ data entitled “A comprehensive approach on personal data protection in the European Union”. The strategy is the result of public and stakeholder consultation throughout 2009 and 2010. While the protection of personal data is currently a hot topic, this strategy is not the first time the European Commission has addressed issues of data protection and electronic privacy. In 1995, the European Union release the Data Protection Directive (95/46/EC), which was a milestone in the EU’s protection of personal data. The Directive, however, has struggled to keep up with the rapid pace of technological advancement, particularly in the area of social media.
The new strategy appreciates the challenges of modern technology and recognizes that the protection of electronic information cannot be seen as a purely national concern. The strategy focuses on the strengthening of individual rights, through the provision of control and autonomy over one’s own personal data, and aims at providing users with greater information about who has access to their data and when such data has been viewed. Most interestingly, the strategy calls for a “right to be forgotten” whereby individuals have the right to completely remove their data from electronic forums, such as social networking sites, if and when they no longer want to participate.
The goal of the Commission is to propose a new general legal framework by mid-2011 that will protect personal data in the EU for all sectors. Currently, the EU has left the door open for public response with the deadline for comment set as January 15, 2011.
Posted on November 2, 2010
On October 28, 2010, the PCI Security Standards Council released version 2.0 of the PCI Data Security Standard (DDS) and the Payment Application Data Security Standards (PA-DSS) reflecting input from the Council’s global stakeholders. This latest version, effective January 1, 2011, is designed to provide greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants. A summary of the changes can be found here. The standards, detailed summary of changes and supporting documentation can be found here.
The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the DSS, PIN Transaction Security (PTS) requirements and the PA-DSS.
Posted on October 29, 2010
A judge of the Supreme Court of New York State has recently held that information voluntarily placed on Facebook and MySpace pages are discoverable, and that doing so would not violate the plaintiff’s right to privacy.
The plaintiff, Romano, claimed that she sustained permanent injuries as a result of an accident and also that she could no longer participate in certain activities and her enjoyment of life was affected. As part of its defense, the defendant brought a motion to obtain complete access to the plaintiff’s current and historical Facebook and MySpace pages and accounts on grounds that the plaintiff has uploaded certain information that would be inconsistent with her claims concerning the extent and nature of her injuries.
Continue Reading...
Posted on October 28, 2010
An Ontario Superior Court Justice has allowed the use of Facebook as a valid method for the service of court documents. In a paternity suit where the mother could not find the father except on Facebook, Justice Cheryl Robertson allowed the mother to serve the father in a message over Facebook. Justice Robertson believes that in today’s connected world, electronic service is the next logical step for the delivery of documents which may otherwise be undeliverable.
Since the Rules of Civil Procedure allow for substituted service when regular service is impractical, Justice Robertson argues that electronic means of service provide a practical solution. E-service is even more useful in the context of family law cases where litigants may be trying to avoid being found in anticipation of child support claims. In a paper she presented earlier this month, Justice Robertson points out that e-service has several advantages over regular service including speed and cost efficiency. Furthermore the person who is serving the document will know immediately if they have sent the documents to the wrong email address or know if a user has been active in checking their Facebook page through their recent activity log. While the use of e-service is on the rise, the judiciary may be slow in adopting it, as many judges may be unfamiliar with different electronic tools. Despite this, Justice Robertson is optimistic that over time the benefits of e-service will win over even the most skeptical opponents.
Posted on September 29, 2010
Canada's Privacy Commissioner Jennifer Stoddart has revealed concerns over Facebook's "like" button. While the Commissioner very recently announced the conclusion of a prior privacy investigation that began in 2008, she revealed that this new probe was only one of several other issues the Commission has with Facebook. When it was first implemented, the “Like” button was meant only for users on the Facebook website to indicate their preference for items posted on their friend’s Facebook pages. In April, Facebook began to offer its “Like” button to external websites leading to uncertainty over how the private information of users who clicked the button would be used. It is now estimated that over 350,000 websites have adopted the “Like” button with over 65 million clicks to the button a day. Despite these ongoing investigations by the Commissioner, Facebook’s Chief Privacy Counsel Michael Richter maintains that Facebook continues to be dedicated to giving users control over their private information.
Posted on September 15, 2010
Compagnie d’assurances Standard Life c. Tremblay, 2010 QCCA 933 (CanLII)
On May 11, 2010, the Quebec Court of Appeal issued a definitive judgment in support of privacy rights in the case of Standard Life v. Tremblay. Upholding the trial decision, the Quebec Court of Appeal maintained the damages awarded which included a punitive sum of $100,000.00 to the plaintiff Tremblay against Standard Life Insurance Company (Standard Life).
Continue Reading...
Posted on August 23, 2010
Recent amendments to Alberta’s Health Information Act, and related regulations, come into force on September 1, 2010. The amendments touch on a range of issues including the applicability of the statute, sharing of electronic health records, the creation of health information repositories and additional investigative powers for the Information and Privacy Commissioner of Alberta.
Continue Reading...
Posted on August 13, 2010
Bill C-29, a proposed amendment to the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”), seeks to enhance the private-sector privacy legislation in Canada.
Bill C-29 which was first read on May 25, 2010, is expected to provide clarification for insurers, corporations and federal employers, who under the existing PIPEDA provisions have voiced uncertainty as to what investigative steps they can take without violating Canadian privacy laws. The current PIPEDA provisions allow for the collection, use and disclosure of personal information, without consent, only when there is a breach of contract or law. The Privacy Commissioner has been of the view that under the current PIPEDA provisions, the mere suspicion of a crime or a breach of contract is not grounds for an investigation in the private-sector.
If passed, Bill C-29 proposes amendments which include clarification of the meaning of “lawful authority” pursuant to Section 7 of the Act, and the collection and use of witness statements where it is necessary for an insurance claim. Ultimately, the Bill would permit organizations to access this information without the knowledge or consent of an individual for the purposes of preventing fraud and other unlawful activity. Amendments to the Act contained in Bill C-29 would affect mainly those involved in insurance, employment, and corporate due-diligence investigations.
Posted on August 9, 2010
State Farm Mutual Automobile Insurance Company v. The Privacy Commissioner of Canada et al., 2010 FC 736
On July 9, 2010, the Federal Court of Canada restricted the scope of the definition of “commercial activity” under the Personal Information Protection and Electronic Documents Act (PIPEDA), when it was asked to determine whether the provisions of PIPEDA apply to evidence collected by an insurer, on behalf of an insured, in a tort action.
Continue Reading...
Posted on July 6, 2010
Prompted by meetings with the Office of the Privacy Commissioner of Canada (OPC) earlier this year to improve its privacy settings, Facebook has announced that users can now choose an “opt-in” option before allowing third-party applications to access their personal information. This will allow the website’s users to see exactly which parts of their personal data third-party applications will need before they choose to download them.
Previously, third-party applications were required to ask for a user’s permission before accessing any personal information, but they were not asked to specify exactly what information was needed. Now, third-party applications must list exactly what information they will need, such as photos, videos or friends’ lists. The new privacy settings also allow users to give permission to a third-party application before it can access their friends’ data.
Although the option to “opt-in” is a welcome change from the option to “opt-out”, most third-party applications must still be allowed to access all the data before they can run.
Posted on June 28, 2010
On June 21, 2010, Apple updated its privacy policy making it easier for the company, its partners and licensees to "collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device."
Location-based services are becoming big business in everything from mobile advertising to on-demand multimedia services. Individuals can already use applications such as Clip Mobile’s coupon application to receive deals, sign into FourSquare to let their social networks know where they are, and get turn-by-turn navigation details on their smartphones.
Apple maintains that the location-based data collected by Apple will be anonymous, and will be used only to offer specialized location-based services to its users.
The changes have prompted two Congressmen (Texas Republican Joe Barton, co-chairman of the House Bi-Partisan Privacy Caucus and Massachusetts Democrat Edward Markey) to write a joint letter to Apple CEO Steve Jobs, asking him to explain the changes made by the company to its user privacy policy by 12 July.
The changes will affect nearly all Apple-users as individuals must agree to the new privacy policy in order to download anything from the iTunes store. There currently appears to be no way to opt-out of this data collection without giving up the ability to download apps.
Posted on June 22, 2010
A post on Slaw today contains a discussion of Alberta's Personal Information Protection Amendment Act, 2009 by Stikeman Elliott partner Wesley Ng. Specifically, Mr. Ng considers the new requirements respecting written policies and procedures and notification.
Posted on June 14, 2010
Justine Whitehead
On May 25, 2010, the Canadian government introduced Bill C-28, an act that would establish the federal Fighting Internet and Wireless Spam Act (“FIWSA”), and make significant consequential amendments to other federal legislation, including Canada’s Competition Act; Telecommunications Act; and Personal Information Protection and Privacy Act (PIPEDA).
Continue Reading...
Posted on June 2, 2010
Responding to the latest public outcry, Facebook CEO Mark Zuckerberg recently announced a number of new policies and settings; however, the changes may not be enough to satisfy regulators and critics. The Office of the Privacy Commissioner of Canada (OPC) recently responded to Facebook’s new privacy settings, warning that Facebook has not gone far enough to satisfy its commitments to the OPC.
Continue Reading...
Posted on May 25, 2010
The Canadian federal government is taking aim at improving the security of Canadian online commerce.
The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), announced a series of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA).
Continue Reading...
Posted on May 17, 2010
Courts in Nova Scotia and Ontario recently issued conflicting decisions on the ability of a plaintiff to compel a website to reveal the identities of online commentators.In both cases, the plaintiff in a defamation suit sought the identities of individuals who had posted allegedly defamatory comments to a website.In the Nova Scotia case, the court granted the order; in Ontario, the court refused it.The Ontario decision made it clear that such orders are not automatic – the court must be satisfied that there is a prima facie case for defamation, and must also weigh the public interest in disclosure against the freedom of expression and privacy interests of the parties. These issues were not addressed in the Nova Scotia decision.
Continue Reading...
Posted on May 12, 2010
Barbara B. Johnston, Gary T. Clarke, Birch K. Miller and April Kosten
Effective May 1, 2010, amendments to Alberta's Personal Information Protection Act (PIPA) are in force, which provide new and notable requirements applicable to organizations.
Notification respecting service providers outside of Canada
Organizations that use service providers outside of Canada to collect personal information about individuals or that transfer personal information to service providers outside of Canada must notify individuals of:
- the ways in which they may obtain access to written information about the organization's policies and practices with respect to service providers outside of Canada; and
- the person who is able to answer questions on behalf of the organization about the collection, use, disclosure or storage of personal information by service providers outside Canada.
Such notification must be provided before personal information is collected by, or transferred to, the service provider.
Continue Reading...
Posted on December 16, 2009
In November 2009, Facebook responded to privacy concerns by publishing a new, natural language privacy policy. The new policy will first be available for public review and comment, before eventually replacing the current “legalese” version. Last August, Facebook was forced to change its privacy policy, in response to a complaint filed by a Canadian law student with Canada’s Privacy Commissioner. The natural language privacy policy reflects Facebook’s goal to improve “transparency and readability”, according to communications and public policy executive Elliot Schrage.
Posted on November 21, 2009
In 2008, the U.S. enacted the Genetic Information Nondiscrimination Act of 2008 (GINA) to prohibit discrimination in health coverage and employment based on genetic information. While many states have already enacted legislation that prohibitions discrimination based on genetic information, the degree of protection provided by state laws varies widely and the federal act provides a minimum baseline of protection. GINA prohibits health insurers or administrators from requesting or requiring genetic information from an individual or an individual’s family members. GINA also prohibits employers from using genetic information on any decisions regarding employment.
Posted on November 16, 2009
On November 16, 2009, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; the Federal Trade Commission; the Commodity Futures Trading Commission; and the Securities and Exchange Commission (collectively, the Agencies) published a final rule amending the rules that implement the privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA). Pursuant to the final rule, the Agencies are adopting an optional model privacy form that financial institutions may rely on as a safe harbour and that will satisfy their privacy notice obligations under the GLBA. The final rule will come into effect on December 31, 2009.
The model form replaces the “sample clauses” previously contained in the Agencies’ privacy rules and used by many financial institutions in their GLBA notices as a safe harbour. The Securities and Exchange Commission is eliminating the guidance associated with, and the other Agencies are eliminating the safe harbour permitted for, notices based on the sample clauses if the notice is provided after December 31, 2010.
The final rule includes three versions of the model form: (1) a model form with no opt-out; (2) a model form with opt-out by telephone and/or online; and (3) a model form with opt-out by telephone, online and/or mail-in.
Posted on October 29, 2009
An Ontario Court judge recently rejected Royal & Sun Alliance Insurance Co.’s bid to see a woman’s Facebook profile in a case where the woman was suing to recover for injuries suffered in a car crash. The judge stated that the plaintiff’s privacy would be respected unless the defendant could prove a legal entitlement to the ruling. The judge gave the defendant an opportunity to cross-examine the plaintiff to try to prove a legal entitlement, but refused to do anything further. This decision represents a slightly stronger stance towards privacy than the Leduc v. Roman case discussed in an earlier post.
Continue Reading...
Posted on October 28, 2009
In response to inquiries from organizations seeking clarification as to the application of privacy laws in the private sector workplace during the H1N1 pandemic, the Office of the Privacy Commission of Canada, together with the Office of the Information and Privacy Commission for British Columbia and the Office of the Information and Privacy Commission of Alberta published a guidance document on the issue.
The federal Personal Information Protection and Electronic Documents Act, and the provincial privacy legislation in Alberta, British Columbia and Quebec apply in the usual way in the event of “non-emergency” situations. However, in the event of the declaration of a public emergency, the powers to collect, use and disclose personal information to protect the public health may be very broad. Orders issued under public health legislation could require the collection, use and disclosure of certain information relating to employees and customers, which collection would not be impeded by private sector privacy legislation.
The guidance document encourages employers to provide employees with information on prevention rather than asking employees personal questions that go beyond what is reasonable and minimally necessary.
Posted on October 21, 2009
Canada's federal telecommunications regulator, the Canadian Radio-television and Telecommunications Commission (CRTC), has recently released a regulatory policy decision clarifying its legislative authority within Canada's Telecommunications Act to police discriminatory internet traffic management practices by ISPs and its position in favour of net neutrality. In addition, this decision also enhances the protection of personal information collected by ISPs by seeking to “impose a higher standard than that available under PIPEDA in order to provide a higher degree of privacy protection for customers of telecommunications services.”
Continue Reading...
Posted on June 17, 2009
In June 2009, the Alberta Court of Appealhad the occasion to consider the expectation of privacy of employees with respect to their workplace computers and found that an employer is “entitled not only to prohibit use of its equipment and systems for pornographic or racist purposes but also to monitor an employee’s use of the employer’s equipment and resources to ensure compliance.”
The case of Poliquin v. Devon Canada Corporation (2009 ABCA 216) examined the availability of a summary judgment motion in a wrongful dismissal case. Mr. Poliquin was terminated from his position as a senior supervisor at Devon Canada after 26 years of service for, among other things, using a workplace computer to access and exchange pornographic and racist emails.
Continue Reading...
Posted on May 27, 2009
The Office of the Privacy Commissioner of Canada (OPC) issued a guidance document outlining the privacy obligations and responsibilities of private sector organizations contemplating and engaging in covert video surveillance.
The OPC notes that it considers covert video surveillance to be an extremely privacy-invasive form of technology, the use of which should only be considered in the most limited cases.
The guidance document notes that capturing images of identifiable individuals through covert video surveillance is considered to be a collection of personal information, irrespective of the fact that it may occur in a public place, and as such, is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA).
Continue Reading...
Posted on April 14, 2009
Even when it's sitting on your property awaiting collection, garbage - and the private information it contains - may be vulnerable to police and public scrutiny
Karen E. Jackson, Wesley Ng and Andrew Cunningham
R. v. Patrick
Supreme Court of Canada, 2009 SCC 17 (April 9, 2009)
This Supreme Court of Canada ruling, which arose in the context of a criminal drug prosecution, underscores the importance of careful disposal of documents containing confidential information or other information that could potentially be embarrassing or damaging to your company's interests. The essence of the Court's ruling is that waste left for disposal "at the curb" - and the information it contains - is fair game for police search and seizure, and arguably for perusal by reporters or members of the general public as well. Even where trash is left for pick up on your own private property, it can be vulnerable if it can easily be reached from public property. The lesson is never to dispose of sensitive material by leaving it for pick-up on the periphery of one's property. Lockable bins, fencing, signage and other indicia of an intention to maintain control of refuse until it can be securely transferred into disposal vehicles are key to keeping your trash out of the hands of those who would recycle it into a gold mine of information about your business.
Continue Reading...
Posted on February 2, 2009
Leduc v. Roman, 2009 CanLII 6838 (Ont. S.C.J.).
Alex Colangelo
Existence of Facebook profile allowed for inference that private portion of profile may contain relevant material
The parties in this case were involved in a motor vehicle accident in 2004. The plaintiff subsequently initiated an action claiming that the defendant’s negligence resulted in a lessened enjoyment of life. Sometime after Mr. Leduc’s examination for discovery, defence counsel discovered that the plaintiff maintained a Facebook account. The privacy settings on the account, however, restricted access to his profile, resulting in only the plaintiff’s name, city of residence and profile photograph being accessible to the defendant.
Continue Reading...
