CASL confusion: what July 1 really signifies for marketers

David Elder - 

July 1, 2017 is not only Canada’s 150th birthday -- it is also marks three years since Canada’s Anti-Spam Legislation (CASL) has been in force.  While Canadian businesses are unlikely to celebrate the latter anniversary with barbecues and fireworks, July 1 will signify an important change in the way that CASL will apply. 

Unfortunately, there seems to be some confusion about what the approaching deadline really means for marketers.  From a CASL perspective, July 1 is important for 3 reasons:

Private right of action

Let’s start with what it doesn’t mean: July 1 will no longer mark the coming into force of the private right of action contained in the law.  This provision would have allowed civil suits to be filed against individuals and organizations for alleged violations of the law.  In addition to suing for actual damages, the provision also would have allowed plaintiffs to claim statutory damages (which need not be proved) of up to $200 – including for receipt of a non-compliant email message.

Continue Reading...

CRTC slashes anti-spam fine in first review decision

David Elder -

In the first case considered by the appointed members of the CRTC under Canada’s Anti-Spam Law (CASL), the Commission has significantly reduced the size of the penalty previously issued by staff, potentially raising questions about the appropriateness of previous AMPs issued under the law.

A Notice of Violation was originally issued by CRTC staff to Blackstone Learning Corporation in January of 2015, requiring that company to pay an Administrative Monetary Penalty (AMP) of $640,000.  However, following a review by the CRTC, the amount payable has been reduced to $50,000.

Continue Reading...
Tags: ,

CRTC gets frosted at Kellogg's over email violations

David Elder

In the fifth, and most recent, enforcement decision relating to compliance with Canada’s Anti-Spam Legislation, the CRTC has announced that Kellogg Canada has voluntarily entered into an undertaking respecting alleged non-compliance, which includes payment of $60,000 in penalties.

The undertaking resulted from an alleged failure to obtain consent from recipients prior to sending commercial electronic messages.  The alleged violations apparently occurred over an 11-week period in late 2014.

Continue Reading...
Tags: ,

Privacy Shield formally adopted by the European Commission

Michael Decicco and Rona Ghanbari

On July 12, 2016, the European Commission (Commission) formally adopted the EU-US Privacy Shield (Privacy Shield) by issuing its adequacy decision, providing a new structure for cross-border data transfers from the European Union (EU) to the United States.


The Privacy Shield was developed after the Commission’s previous adequacy decision regarding the Safe Harbour framework was declared invalid by the Court of Justice of the EU. Following extensive negotiations, which considered concerns and recommended changes from the Article 29 Working Party, the Commission and the United States reached an agreement on the terms of the Privacy Shield.

Continue Reading...

CRTC partners with global agencies to enforce spam and telemarketing rules

David Elder - 

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced that it has signed a memorandum of understanding with 10 domestic and global enforcement agencies to aid in the enforcement of spam and telemarketing laws.  However, while the announcement is certainly a step in the right direction, many of the countries that produce the most spam were not at the table.

The agreement is intended to promote cooperation between the various enforcement agencies, and includes commitments by each signatory to share information and intelligence regarding unsolicited communications, where permitted by the laws of its jurisdiction.  

Continue Reading...

Cyber-attacks: why any business may be at risk and five possible ways to address the risks

Vanessa Coiteux - 

In this article, Stikeman Elliott’s Vanessa Coiteux reminds us that the risk of cyber-attack is by no means confined to businesses in certain industries. She identifies five cybersecurity risk factors that apply to most or all businesses and discusses how to address them. These observations will be of particular interest to corporate directors who, as the article notes, increasingly have to take the risk of cyber-attacks into account – including in situations where the acquisition or sale of a business is being contemplated.

  • “This is not a big public company!”
  • “This is not a financial institution or a retail company!”
  • “There must be more valuable information to hack out there!”
  • “Putting cybersecurity measures in place is costly!” 
Continue Reading...

New EU-US Safe Harbour Agreement

Michael Decicco and Eryn Fanjoy

On February 2, 2016, the European Commission announced that it reached a deal to replace the EU-US Safe Harbour framework that was declared invalid last year by the Court of Justice of the European Union (CJEU).  Referred to as the “EU-US Privacy Shield”, the new framework should provide businesses with guidance for the safe transfer of personal information of citizens of the European Union (EU) to the United States. 


The CJEU declared the old Safe Harbour framework invalid on October 6, 2015.  Under the EU Data Protection Directive, the personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards. The old Safe Harbour agreement, negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU businesses to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States. One of the CJEU’s primary concerns with the old framework was the massive and indiscriminate surveillance of personal information of EU citizens in the United States, which was viewed as incompatible with the “fundamental rights” of EU citizens. 

Continue Reading...

Ontario Superior Court creates new privacy tort in revenge porn case

Justine Johnston -

On January 21, 2016, the Ontario Superior Court released its decision in Doe 464533 v D, 2016 ONSC 541, recognizing for the first time the new privacy tort of public disclosure of private facts. The Court’s decision explicitly expands the common law protection of privacy and demonstrates how courts can recognize and provide relief to victims of cyberbullying.

The public disclosure of private facts tort arose from an egregious case of revenge porn cyberbullying. The defendant posted a sexually explicit video of the plaintiff under the user submission section of a pornographic website. When the plaintiff became aware that the video had been posted online, the defendant admitted to uploading it and removed it from the website. Although the video was “removed”, the Court acknowledged that there is no way to know how many times it was viewed or downloaded or if and how many times it may have been copied onto other media storage devices or recirculated. 

Continue Reading...

CRTC executes another raid in malware investigation

David Elder - 

The Canadian Radio-television and Telecommunications Commission (CRTC) has announced the execution of another warrant under Canada’s Anti-Spam Legislation (CASL), this time at two locations in the Niagara region of Ontario.

This is only the second such warrant executed by the CRTC under the anti-spam law.  As in a recent previous announcement respecting the execution of a similar warrant, the warrant was issued as part of an ongoing investigation, and the party that was the subject of the warrant was not identified.

Continue Reading...
Tags: ,

Fourteen not-so-simple rules for implementing a BYOD program

Kelly O'Ferrall -    

In case you missed it over the summer, the Office of the Privacy Commissioner of Canada, together with the Alberta and British Columbia Privacy Commissioners, teamed up to create guidelines (the Guidelines) to address what employers should consider when implementing policies that allow employees to use their own mobile devices for both work and personal purposes (i.e., a Bring Your Own Device or BYOD policy).

Employers often cite cost savings and convenience as reasons for instituting BYOD policies. Further, as employees are quite often already using their own devices for business purposes (or their work devices for personal purposes), implementing a formal BYOD policy allows employers to clarify the rules and expectations with respect to such use.  Notwithstanding the apparent benefits of having a BYOD arrangement, the Guidelines convey an underlying message that such arrangements should be approached with caution in light of the requirements contained in applicable privacy legislation. Specifically, the obligation to maintain the security of personal information.

Continue Reading...

EU-US safe harbour for data transfers declared invalid - Canadian implications

Michael Decicco

On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the decision underlying the European Union’s (EU) safe harbor structure for cross-border data transfers from the EU to the United States in Schrems v. Data Protection Commissioner of Ireland (Schrems).  Shortly following the CJEU’s decision, the Article 29 Data Protection Working Party (Working Party) issued a statement outlining its views as to the consequences of the CJEU decision in Schrems.  The decision may directly impact Canadian businesses which transfer data from the EU to the United States or which host data in the United States.

Safe Harbor and Schrems

Under the EU Data Protection Directive, personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards.  Safe Harbour, which was negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU companies to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States.  To benefit from Safe Harbour, a company was required to self-certify to the United States Department of Commerce that it complied with specified EU privacy standards. 

Continue Reading...

Snoops and gossips beware: Ontario Government to introduce stiffer measures to protect patient privacy

Recently, the Government of Ontario announced its intent to strengthen the rules protecting patient privacy. If passed, these amendments to the Personal Health Information Protection Act (PHIPA) would include:

  • Mandatory reporting of privacy breaches to the Privacy Commissioner and potentially the regulatory colleges;
  • Allow individuals to more easily prosecute offences under PHIPA by removing the 6 month limitation period following an alleged privacy breach;
  • Increasing institutional fines for offences from $250,000 to $500,000;
  • Increasing individual fines for offences from $50,000 to $100,000; and
  • Clarifying how and when healthcare providers may collect, use and disclose personal health information contained in electronic health records.
Continue Reading...

Privacy Commissioner study finds compliance gaps with online behavioural advertising

David Elder - 

New research released by the Office of the Privacy Commissioner of Canada (OPC) suggests that most advertising organizations placing behaviourally targeted online advertising are meeting privacy requirements, although the report also suggests there are a number of areas for improvement.

The study showed that most advertising organizations are providing some form of notification to users, as well as an opt-out mechanism; however, the research also suggests that some opt-out procedures can be confusing or cumbersome, and some of the advertising organizations are continuing to serve ads based on sensitive topics.

Continue Reading...

SEC issues cybersecurity guidance for registered investment advisers and funds

In a recent investment management guidance update, the United States Securities and Exchange Commission (SEC) addressed the need for greater cybersecurity measures to protect confidential and sensitive information held by registered investment companies and registered investment advisers. The SEC identified several measures, in light of recent cyber-attacks on financial services firms, that funds and advisers may wish to consider in addressing cybersecurity risks, including:

Continue Reading...

First blood: CRTC imposes $1.1 million fine in first ever finding under anti-spam law

David Elder -

Eight months after Canada’s Anti-Spam Law (CASL) came into force, the Canadian Radio-television and Telecommunications Commission (CRTC) has made public its first ever finding of non-compliance with the Act, issuing an administrative monetary penalty of $1.1 million against Compu-Finder, a firm that provides training and consulting services.

Surprisingly, this much anticipated enforcement action was not against a firm targeting consumers, as many had suspected, but rather was directed at a firm sending email messages to businesses to promote various training courses related to topics such as management, social media and professional development.   It is believed by many that the overwhelming majority of the more than 250,000 complaints received by the CRTC since the law came into force have been from consumers.  In the case at hand, the CRTC indicated that over one quarter of all complaints about the training industry sector received by the Spam Reporting Centre related to Compu-Finder, although it is not known how many complaints were received.

Continue Reading...
Tags: ,

FTC report on the Internet of Things urges companies to adopt privacy and data security best practices

Michael Decicco

On January 27, 2015, the United States Federal Trade Commission (FTC) released a report discussing privacy and data security in consumer devices connected to the internet. 

The Internet of Things (IoT)

The FTC defined the IoT to include things such as devices or sensors, other than computers, smartphones or tablets, that connect, communicate or transmit information with or between each other through the internet.  For example, smart thermostat systems or washers and dryers that utilize Wi-Fi for remote monitoring.

Data Security and Privacy Risks

While the FTC acknowledged some benefits of the IoT, it cautioned that the IoT presents a variety of data security and privacy risks.  The risks include: (i) the enabling of unauthorized access to and misuse of personally identifiable information (PII), (ii) the facilitation of attacks on other interconnected systems, and (iii) the creation of safety risks.  While the first two risk factors are common in the traditional computing environment, the third represents a new, physical type of risk.  For example, it may be possible to remotely hack into a connected medical device and change its settings, impeding its therapeutic function.

Continue Reading...

Global privacy authorities urge app marketplaces to make links to privacy policies mandatory

The Privacy Commissioner of Canada and 22 other privacy authorities worldwide recently issued an open letter to the operators of seven leading app marketplaces urging them to make links to privacy policies mandatory for apps that collect personally identifiable information (PII).

The letter was issued following the second annual Global Privacy Enforcement Network privacy sweep, which we discussed in a previous post.  While the letter acknowledges that app developers are responsible for communicating their privacy practices to app users, it emphasizes an app marketplace operator’s unique and integral role in users’ interactions with mobile apps. The letter described app marketplaces as important consumer landing spots where individuals can search for new apps, read reviews and access technical information in order for an individual to make an informed decision about apps in the marketplace.

Accordingly, the letter urges that app marketplaces require privacy practice information, such as privacy policy links for apps that collect PII, to be made available to users to ensure that users are meaningfully informed regarding the collection and use of their PII prior to deciding to download an app.


ISO 27018: Data protection standards for the cloud

Michael Decicco

In 2014, the International Standards Organization (ISO) added to its family of information security standards when it published ISO/IEC 27018, a code of practice that sets forth standards for the protection of personally identifiable information (PII) in the public cloud.

ISO/IEC 27018 provides best practices for public cloud service providers and establishes a common set of control objectives, controls, and guidelines for implementing measures to protect PII. 

Continue Reading...

Bill 3 - Personal Information Protection Amendment Act in force

Gloria Moore and Gary Clarke -

On December 17, 2014, the Alberta Government’s proposed amendments to the Personal Information Protection Act (PIPA), found in Bill 3, came into force.

The proposed amendments to PIPA and the motivation for the changes are discussed in our previous blog post.

Continue Reading...

The Federal Communications Commission asserts its role as a regulator of data security

The Federal Communications Commission (the FCC) recently took action against two United States telecommunications service providers, TerraCom, Inc. and YourTel America, Inc. (the Companies) in the FCC’s first data security case and largest privacy action in the FCC’s history.  The FCC is fining the Companies US$10 million for allegedly willfully and repeatedly violating the Communications Act of 1934.

Continue Reading...

Alberta's proposed amendments to PIPA for labour disputes

Gloria Moore and Gary Clarke -

On November 25, 2014, the Alberta Government’s proposed amendments to the Personal Information Protection Act (PIPA), found in Bill 3, passed the second reading of the legislature.

The proposed amendments are in response to the decision of the Supreme Court of Canada in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401. In that case, the Supreme Court of Canada declared PIPA to be unconstitutional and invalid, holding that it infringed on the freedom of expression guaranteed by the Canadian Charter of Rights and Freedoms by limiting the ability of the union to video-tape and photograph individuals crossing the picket line. The Supreme Court of Canada held that freedom of expression in the context of labour disputes must be balanced against the government’s objective of providing individuals control over their personal information when crossing a picket line. The declaration of invalidity for PIPA was suspended for 12 months, in order to give the legislature time to consider amendments to make PIPA constitutionally compliant. On October 30, 2014, this deadline was extended for an additional six months.  

For more background, please see our previous blog posts by David Elder regarding the  leave decision and the decision of the Supreme Court.

Continue Reading...

CRTC clarifies that anti-spam law won't apply to self-installation of computer programs - most of the time

David Elder -

CRTC staff has issued important guidance on its interpretation of section 8 of Canada’s Anti-Spam Legislation (CASL), noting that the law would not apply to most installations initiated by users, including the downloading of mobile apps from popular digital distribution platforms like The App Store, Google Play and BlackBerry World.

While much attention has been paid to the core anti-spam provisions of CASL, which came into force on July 1, less attention has been paid to date with respect to section 8, which governs the installation of computer programs in the course of commercial activity.  However, as the January 1, 2015 coming into force date nears for that provision, many businesses have been struggling to understand their legal obligations and take the necessary steps to comply.

Continue Reading...

Overdue legislative action threatens existence of made-in-Alberta privacy laws

Michael Decicco and Daniel Hamson –

On November 15, 2013, the Supreme Court of Canada issued its decision in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401 (United Foods), ruling that Alberta’s Personal Information Protection Act (PIPA) was unconstitutional and declaring it invalid. As noted in a previous post, the Court suspended the declaration of invalidity until November 15, 2014 in order to provide the legislature with sufficient time to decide how to best make the law constitutional.

Continue Reading...

Mobile applications - results of global study of privacy practices and tips for increasing transparency

Michael Decicco and Lin Cong

The Global Privacy Enforcement Network recently published the results of its second annual privacy enforcement survey or “sweep” which assessed the transparency of the privacy practices of popular mobile applications. The results of the sweep suggest that the privacy policies of a high proportion of mobile applications do not adequately explain how users’ personal information is collected, used and disclosed. The general conclusion of the sweep was that clear and concise language in privacy policies builds consumer trust and is good for business.

The Office of the Privacy Commissioner of Canada (Commissioner) participated in the sweep and focused on 151 mobile applications that were popular among Canadians. The key findings of the Commissioner are as follows:

  • 28% of the applications surveyed provided a clear explanation of their collection, use and disclosure of personal information practices;
  • 26% of the applications surveyed offered either no privacy policy or one that did not explain how users’ personal information would be collected, used or disclosed; and
  • among the applications with the best privacy practices were popular applications in the e-marketplace.
Continue Reading...

Landmark decision recognizes an individual's right to privacy over his or her online activities

Michael Decicco and Tracy Chen

The Supreme Court of Canada recently released its decision in the landmark case of R. v. Spencer, in which it found that a police request to an Internet service provider for subscriber information constituted a search under the Charter of Rights and Freedoms, and that Internet users have a reasonable expectation of anonymity in their online activities.


In Spencer, police identified the IP address of a computer that an individual had used to access and store child pornography through a file-sharing program. The person had downloaded the offending material into a folder that was accessible to other users using the same program.

Continue Reading...

B.C. Supreme Court certifies class action against Facebook

David Spence and Kathleen Elhatton-Lake -

On May 30, 2014, the British Columbia Supreme Court released its decision in Douez v. Facebook, granting the Plaintiff’s motion to certify a claim for statutory breach of British Columbia’s Privacy Act (the Privacy Act) against the defendant, Facebook.

The Plaintiff alleged that Facebook had taken names and images of Facebook users in British Columbia without the knowledge or consent of the user and featured them in “Sponsored Stories”. Sponsored Stories were advertisements, featuring the Facebook user’s name or likeness, that were sent to the user’s contacts without his or her knowledge or consent. Section 3(2) of the Privacy Act provides that:

Continue Reading...

New cyberbullying bill resurrects many police powers from scrapped "lawful access" bill

David Elder -

A new proposed federal law would make it a crime to distribute “intimate images” without the consent of the subject of those images; however, the new law would also create new police powers and procedures that go well beyond the context of cyberbullying to cover a broad range of online activity associated with other crimes.  The breadth of the cyberbullying offence may also raise concerns for news media about possible criminal liability for reporting certain stories.

In fact the bill, introduced as Bill C-13 and entitled the Protecting Canadians from Online Crime Act, appears to resurrect many of the provisions from the last incarnation of the failed lawful access bill, Bill C-30.  Bill C-13 seems to reintroduce much of what had been Part 2 of the earlier bill, including many of the proposed new and amended powers respecting the preservation and production of various types of electronic data, including the provision by telecommunications service providers of transmission or metadata associated with electronic communications, as well as setting out the procedures through which these orders would be obtained.

Continue Reading...

No dice: Supreme Court declares Alberta privacy law unconstitutional in Palace Casino case

David Elder -

In a landmark ruling, the Supreme Court of Canada has declared Alberta’s Personal Information Protection Act (PIPA) to be invalid in its entirety, finding that it infringes the freedom of expression guaranteed by the Canadian Charter of Rights and Freedoms by limiting the ability of labour unions to videotape and photograph individuals crossing a picket line.

The declaration of invalidity is suspended for a period of 12 months to give the legislature time to decide how best to make the law constitutional. In light of the “comprehensive and integrated structure” of the law, the Court decided to strike PIPA down in its entirety, rather than declare as invalid particular provisions.

Continue Reading...

Manitobans get new privacy law, but no one to complain to

David Elder and Bessie Qu -

Nearly a decade after British Columbia and Alberta enacted their own private sector privacy laws, Manitoba’s Legislative Assembly recently passed the Personal Information Protection and Identity Theft Prevention Act (PIPITPA or the Act), a privacy statute governing the private sector in that province.

The Act, which has yet to be proclaimed in force, will apply to the collection, use and disclosure of personal information by organizations carrying on commercial activities in Manitoba, and will govern the handling of both consumer and employee information. While much of the Act is modeled after Alberta’s Personal Information Protection Act (PIPA), several differences are worth noting:

Continue Reading...

New privacy bill would require breach notification, allow Commissioner to make orders

David Elder -

In an apparent attempt to apply pressure to the government to amend the federal private sector privacy law, New Democrat Digital Issues Critic Charmaine Borg recently introduced a private members bill that would introduce mandatory data breach reporting and provide the Privacy Commissioner of Canada with direct enforcement powers.

The government’s own bill to amend the Personal Information Protection and Electronic Documents Act (PIPEDA) was introduced in September of 2011, but Bill C-12, as the bill is known, has not moved forward since that time. 

Continue Reading...

Crossing the line: Supreme Court of Canada to consider balance between privacy rights and freedom of expression in picket line videotaping case

David Elder -

In an important constitutional case, the Supreme Court of Canada has granted leave to hear an appeal from a decision that found that the application of privacy law to the videotaping of individuals crossing picket lines infringed the Canadian Charter of Rights and Freedoms.

 As we noted in a previous post, the judgment in question considered the activities of a union that had videotaped picketing activity during a strike at an Edmonton casino.  Like other Canadian private sector privacy laws, Alberta’s Personal Information Protection Act (PIPA), generally requires the consent of individuals for the collection, use and disclosure of their personal information, including videotaped images of identifiable individuals.  The union, which did not obtain such consent, videotaped and photographed the picket lines in order to publicize the images of individuals crossing the lines. 

Continue Reading...

One more province (partially) exempt from PIPEDA

The Federal government has expanded the list of organizations that are exempt from the Personal Information Protection and Electronic Documents Act (PIPEDA) on the basis that similar provincial legislation sufficiently protects the relevant personal information. As of October 10, 2012, health care organizations subject to Newfoundland and Labrador’s Personal Health Information Act (PHIA) are exempt from PIPEDA because provincial legislation is “substantially similar”.

Newfoundland and Labrador is now the sixth province to be granted an exemption from some or all of Part I of PIPEDA, and the third to enact exempted personal health information legislation.

Continue Reading...

Supreme Court of Canada says reasonable expectation of privacy for workers continues on employer-supplied laptops

David Elder -

Employees in Canada retain some reasonable expectation of privacy in personal data stored on an employer-supplied laptop, even where workplace policies and practices provide that all information stored or generated on such devices is the property of the employer, says the Supreme Court of Canada. However, the implications of this criminal law case remain unclear for private sector employers.

In its judgement in R. v. Cole, on appeal from a decision of the Ontario Court of Appeal, the Court considered the case of an Ontario high-school teacher, on whose school board-supplied laptop a school technician found nude images of a student. The technician copied the photos in question onto a disk for the school’s principal, who seized the laptop and informed police, who took possession of the laptop and disks, then examined their contents. The police did not obtain a warrant before seizing the equipment or examining the contents.

Continue Reading...

High Court stands behind victims of online bullying

Anti-bullying advocates will applaud a recent Supreme Court of Canada decision that paves the way to give young victims of online bullying stronger legal rights. The case of A.B. v Bragg Communications Inc. is notable as it directly pits society’s interest in the protection of children from cyberbullying against freedom of the press and the open court principle.

The facts of the case are straightforward. A 15-year old Nova Scotia girl, identified only as A.B., discovered that someone had created a phony Facebook profile using her name and picture. The picture was accompanied by some unwelcomed commentary about the girl’s appearance along with sexually explicit references. A.B. applied to a Nova Scotia court for an order requiring Eastlink, an internet service provider, to disclose the identity of the person(s) standing behind the IP address used to publish the phony Facebook profile. In order to protect her privacy, A.B. also asked the court for permission to make her application anonymously and for a publication ban on the contents of the fake Facebook profile. Her request to proceed anonymously and under a publication ban were denied by the trial judge and the Court of Appeal but those decisions were partially overturned in this case by the Supreme Court of Canada.

Continue Reading...

Leading websites in Canada found to leak personal information

Research by the Office of the Privacy Commissioner of Canada found that leading websites in Canada are providing registered users’ personal information to third-party websites without their users’ knowledge or consent. The third-party recipients include advertising, marketing, social networking and web analytics websites.

The study found that one out of four websites in the sample regularly disclosed its users’ personal information to third-parties. According to the Privacy Commissioner, the findings raise significant questions about compliance with privacy laws in the online world.


Alberta Court finds application of Personal Information Protection Act to union's activities unconstitutional

As we discussed in a blog post last year, the Alberta Court of Queen’s Bench recently struck down provisions of Alberta’s Personal Information Protection Act (PIPA) that were found to infringe the right to free expression under the Charter. The case considered the activities of a union that had videotaped picketing at the West Edmonton Mall casino in order to publicize images of individuals that crossed the picket lines. At trial, the union had relied on a number of arguments to justify its activities, including the fact that PIPA does not apply to personal information collected for journalistic purposes, as well as the exemption from the consent requirement with regards to personal information that is “publicly available”. Ultimately, the trial court found the provisions in question to be too narrow and, thus, unconstitutional. In a recent decision of the Alberta Court of Appeal, Justice Slatter agreed that the application of PIPA to the union’s activities infringed the Charter.

In its constitutional analysis, the Court of Appeal concurred with the trial court’s finding that the picket line and its related videotape recordings were an expressive activity. Meanwhile, in considering the potential justifications for infringement, the Court of Appeal found there to be a pressing and substantial concern in the potential misuse of personal information, as well as a rational connection between the PIPA’s provisions limiting the use of personal information and the objectives of the Act.  

Continue Reading...

BC Court requires active personal injury plaintiff to divulge Facebook photos

David Elder & Robert Mysicka -

A recent decision by the British Columbia Supreme Court has led to yet another case of “Facebook Remorse” for a Plaintiff with an active social media presence.

The case also further confirms the trend in Canadian civil courts to require disclosure of “private” social media postings where relevant to the case at hand.

In Fric v. Gersham the Plaintiff, who is a recent law school graduate, is claiming damages resulting from injuries suffered in a motor vehicle collision that occurred in 2008. The action, which is scheduled to proceed to trial in May, 2013, involves claims by the Plaintiff of loss and damages, including pain and suffering, loss of amenities of life, past and future loss of earning capacity, and other damages alleged to have been caused by the Defendants, who were involved in the motor vehicle accident with the Plaintiff.

Continue Reading...

Personal data protection: implications for the corporate arena

In an increasingly digital age, data protection has become a key component of business risk management. Companies in every industry are understandably keen to protect their trade secrets, clients list and other company data. To that end, companies routinely include confidentiality and related provisions in employment contracts, and maintain policies and procedures regarding the protection of business-related information within and outside the workplace. Further, employers now more commonly monitor employees’ use of electronic technology, such as email.

Recent decisions from the U.S. and Canada, however, demonstrate that there remains a potentially uncertain balance between the ability for law enforcement to investigate potential crimes and the rights of individuals and employees.

Continue Reading...

New Google privacy policy and user data merge

Effective March 1, 2012, Google will put in place a unified privacy policy that will replace over 60 different privacy policies across Google and cover multiple products and features. The move, while presented as an upgrade in order to “create one beautifully simple and intuitive experience across Google”, is necessitated by Google’s new plan to link user data collected across 60 Google products such as Gmail, YouTube and web searches. The data merge is scheduled to take effect on March 1, 2012 and users will not be allowed to opt out of the change. The merger of data collected across Google’s email, video and social-networking services will allow Google to target search results and advertising.  

Many critics have raised privacy concerns over Google’s new data merge practices and privacy policy, including some U.S. lawmakers. As internet companies try to gleam more information from their users, they are likely to be met with increased scrutiny from regulators who are concerned about consumer privacy. Some Google senior executives believe the regulators have gone too far in proposing certain measures which could “break the internet”. At the World Economic Forum in Davos, Google’s chief legal officer raised concerns about the EU’s proposed privacy directive requiring explicit user consent to be obtained by website operators for the use of cookies.

A number says a thousand words: Data Privacy Day 2012

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, recently issued a press release  warning consumers that new technology has the potential to build individually-detailed profiles based on IP addresses, social insurance numbers and even license plates. Her comments highlight a growing trend that the anonymity of personal information is becoming increasingly scarce, especially for online consumers.

The Commissioner’s comments are timely considering that Data Privacy Day  is January 28, 2012, a day when awareness of online privacy and data protection is brought to the forefront. Recognized in Canada, the United States and most of Europe, Data Privacy Day is organized by the National Cyber Security Alliance, who seeks to educate the general public about data privacy and to encourage dialogue about data protection among consumers, businesses and governments.

Banking your secrets just got safer - invasion of privacy tort recognized

On January 18, for the first time, the Ontario Court of Appeal in Jones v. Tsige explicitly recognized the tort of invasion of personal privacy. In July 2009, Sandra Jones discovered that her co-worker, Winnie Tsige, had been surreptitiously viewing her bank records for four years. Although Jones did not know or directly work with Tsige, Tsige and Jones’ ex-husband were in a common-law relationship. As an employee of the Bank of Montreal (where Jones maintained her primary bank account), Tsige had full access to Jones’ banking information. Contrary to the bank’s policy, Tsige accessed Jones’ banking records at least 174 times. Sharpe J.A. allowed the appeal, ruled that Tsige committed the tort of “intrusion upon seclusion” and granted Jones $10,000 in damages.

Continue Reading...

2011 in Review - Top 10 Technology & IP Law Developments

The arrival of 2012 marked the end of a year filled with numerous developments in technology and IP law. Taking a cue from the Canadian Communications Law blog, we’ve decided that this would be an excellent time to reflect on the past year and review some of its more notable developments. To that end, we’ve put together a list of the top 10 technology and IP law developments from the past year.

Without further ado, here are our picks for the top 10:

  1. Court of Appeal recognizes reasonable expectation of privacy in contents of work computer - In R. v. Cole, a teacher discovered with nude images of a student on his work laptop was found by the Ontario Court of Appeal to have a reasonable expectation of privacy with respect to his personal files on that laptop.
  2. No liability for defamation for basic hyperlinks, says Supreme Court - In a decision that came as a relief to bloggers, tweeters, webpage owners and other providers and hosts of internet content, the Supreme Court of Canada clarified in Crookes v. Newton that merely providing hyperlinks to defamatory content will not lead to liability for defamation.
Continue Reading...

Panning for gold in the mud: the availability of privacy damages under PIPEDA

More than 10 years after the introduction of federal private sector privacy legislation in Canada, damage awards for breaches of the law have been few and far between -- and where such awards have been made, the dollar amounts awarded have been modest.

In light of the sometimes confusing, and even contradictory judgments to date, there is also considerable uncertainty as to when such damages might be awarded, and what evidentiary test a complainant might have to meet.

In Panning for gold in the mud: the availability of privacy damages under PIPEDA, in the December 2011 edition of the Canadian Privacy Law Review, David Elder of our Privacy and Data Protection Group, attempts to knit together the existing case law into a coherent analytic framework for the availability of privacy damages in Canada.

Article reproduced with permission of the publisher from Canadian Privacy Law Review, Vol. 9, No. 1, December 2011.

Leon's to ho ho hold onto customer information: SCC dismisses Privacy Commissioner's appeal

Late last week, the Supreme Court of Canada (SCC) passed on a chance to shed some light on what it considers to be “reasonable” collection of personal information.  It dismissed the Alberta Information and Privacy Commission’s appeal of an Alberta Court of Appeal decision that found “reasonable” collection of personal information to not necessary mean an organization must employ the “best” or the “least intrusive” methods.

As we noted in an earlier post, the Alberta Court of Appeal overturned the Commissioner’s ruling and stated that Leon’s Furniture Limited was justified in collecting driver’s licence and licence plate information from customers picking up furniture. Leon’s argued that the observance of such policy was for fraud prevention and deterrence purposes only and that it assisted police in any ensuing fraud investigations. The Commissioner claimed that Leon’s policy was a violation of Alberta’s Personal Information Protection Act (PIPA or Act), as collection of the disputed information was not “reasonable” under section 11 of the Act and it constituted a “condition of supplying a product or service” under section 7(2) of the Act. Both claims were rejected.

Continue Reading...

Privacy lessons learned: do your homework about home work

David Elder -

A recently publicized privacy breach by a Canada Revenue Agency (CRA) employee underlines the need for all organizations to impose strict controls and safeguards respecting the ability of employees to remove sensitive data from the workplace.

In a widely reported story, it was recently discovered, through a request under the Access to Information Act, that confidential material respecting Canadian taxpayers, contained in hundreds of documents and tens of thousands of email messages sent and received by a CRA employee, were downloaded in unencrypted form to CDs taken home and retained by a CRA auditor, at least some of which were subsequently copied to a third party’s laptop.   While the CDs have been recovered, the laptop – thought to contain the tax files of at least 2,700 Canadians – is still missing. 

Continue Reading...

Nothing up in the air about privacy: foreign airline must comply with Canadian law

David Elder -

When in Rome, do as the Romans do.  Similarly, when doing business in Canada, do as Canadian privacy law requires.

That is the lesson learned by a foreign-based airline following a finding by the Office of the Privacy Commissioner (OPC) of Canada that the carrier had violated Canadian privacy law, even though the company operates in compliance with European privacy requirements.  The decision further confirms the fact that foreign businesses that operate or provide services in Canada will be subject to all requirements of Canadian privacy law, regardless of the scope of the privacy regimes in their home countries.

Continue Reading...

Rolling the dice: Alberta court invalidates certain PIPA provisions

Paul Karvanis and Joel Freudman -

A recent decision by the Court of Queen’s Bench of Alberta to strike down provisions in Alberta’s Personal Information Protection Act (PIPA) could have ramifications nationwide as the offending provisions are mirrored in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). In United Food and Commercial Workers, Local 401 v. Alberta (Information and Privacy Commissioner) the Court declared several narrow exemptions in the Alberta legislation to be unconstitutional.

Continue Reading...

PIPEDA for the Practice of Law

The Canadian Privacy Commissioner released guidelines for lawyers seeking to understand  the Personal Information Protection and Electronic Documents Act (PIPEDA) at the Canadian Bar Association convention on August 16, 2011. Entitled “PIPEDA and Your Practice: A Privacy Handbook for Lawyers”, it provides an overview of PIPEDA requirements as they apply to lawyers and law firms in private practice as well as corporate counsel.

Whereas lawyers already must keep client information confidential, PIPEDA introduced additional requirements that are highlighted in the handbook. For example, conducting a credit check on a potential client requires prior informed consent, and the Commissioner recommends similarly obtaining informed consent for all information collected for litigation purposes (despite this latter point still not clear in the case law). Also, at a client’s request, information about the client must be provided within 30 days at no charge, and irrespective of whether or not a solicitor’s lien exists.

The Commissioner can make non-binding recommendations either following a complaint or on its own initiative, and the complainant or Commissioner may subsequently proceed to Federal Court for enforcement. The Commissioner’s website offers lawyers a Self-Assessment Tool to promote compliance with PIPEDA.

Federal Court muddies the waters on privacy damages

David Elder -

In a problematic judgement, the Federal Court of Canada has awarded damages against a bank for the wrongful disclosure by one of its employees of account information in response to a subpoena.

This is only the second case in which the Court has awarded damages for non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA); and like the first damage award under the statute, the amount awarded was minimal. The case is also perplexing, because it seems to contradict the reasoning in an earlier decision by the same court, which established that to be eligible for an award of damages, the alleged injury must result directly from a breach of the Act.

Continue Reading...

Who was that masked man? Court protects anonymity of Internet users

David Elder -

In the latest chapter in a $6 million defamation suit by a former mayor, an Ontario court has refused to order the disclosure of the identities of three individuals who used pseudonyms to post to an online forum.

The case of Morris v. Johnson should provide some comfort to those who post commentary anonymously, while serving as a cautionary tale to plaintiffs seeking to get behind the pseudonyms of their critics and detractors.

Continue Reading...

Google case raises questions about the security of unencrypted Wi-Fi signals

Late last month, the U.S. District for the Northern District of California denied Google’s motion to dismiss a putative class action alleging that the company accessed and used data transmitted through unencrypted Wi-Fi signals (Re Google Inc. Street View Electronic Communications Litigation). Google acquired the data through its Google Street View program, which relied on specially designed Google Street View vehicles to acquire 360° panoramic images of streets across the United States, Canada and other countries. These Google Street View vehicles also featured advanced technology that allowed them to access and store data transmitted through unencrypted Wi-Fi signals.

Ultimately, Google’s motion to dismiss the Plaintiffs’ claims that it violated the federal Wiretap Act was denied. Of particular interest was the court’s interpretation of the statute with respect to Wi-Fi signals. While the Wiretap Act prohibits intentionally intercepting certain electronic communication, the statute provides an exemption for communications that are “readily accessible to the general public”. In considering the applicable provision, which predates the ubiquity of wireless internet technology, the Court compared Wi-Fi technology to that of cellular phones. Specifically, while both use radio waves to transmit communication, both are intended to be private. Ultimately, therefore, the Court found that the plaintiffs’ pleading supported a claim that communications sent via Wi-Fi technology were not “readily accessible to the general public”.

Google quickly indicated that it will appeal the ruling. The widespread use of unencrypted Wi-Fi signals ensures that this case will be closely watched as it progresses.

New privacy rules in India may impact outsourcing transactions

On April 11, 2011, the Ministry of Communications and Information Technology (Department of Information Technology), Government of India (IT Ministry), issued the following rules regarding the protection of personal information:

  • Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
  • Information Technology (Electronic service delivery) Rules, 2011
  • Information Technology (Intermediaries guidelines) Rules, 2011

(collectively, the Privacy Rules).

The new Privacy Rules represent a dramatic change in India’s policy on protection of personal information, which previously regulated only data security and hacking but not privacy. For more information on the Privacy Rules and discussions of their potential impact on outsourcing transactions, please visit publications posted by Morgan Lewis, Gibson Dunn and DLA Piper.

Alberta Privacy Commissioner seeks leave to appeal to the Supreme Court of Canada from a recent Alberta Court of Appeal decision

Alberta’s Information and Privacy Commissioner has applied for leave to appeal to the Supreme Court of Canada from the Alberta Court of Appeal’s decision in Leon’s Furniture v. The Information and Privacy Commissioner of Alberta. In the case, a majority of the Court of Appeal held that an organization’s methods of collecting personal information must only be reasonable and need not be the least intrusive method.

Continue Reading...

Privacy lessons learned: they can't steal what you don't have

David Elder -

It is an unfortunate truism that we can often learn from the misfortunes of others, and this is certainly true with respect to privacy breaches.

Beyond the need for increasingly robust security safeguards, recent media coverage of a number of high-profile privacy breaches offer another ready lesson for corporations that collect and store personal information: information that is not retained cannot be the subject of a data breach.

In one recent breach, the victim of a possible data theft noted that records provided to a vendor were apparently not destroyed, although the outsourcing organization believed that they had been. It was these records that were the subject of data theft by an unknown hacker. In another recent breach case, information was stolen from an internal database of customer information that was no longer being used.

Continue Reading...

Privacy Commissioner can now be choosier about complaints she investigates

David Elder -

Legislative amendments proclaimed in force last week mean that the Privacy Commissioner of Canada may now be more selective about the complaints her office decides to investigate.

The amendments in question, made to the Personal Information Protection and Electronic Documents Act (PIPEDA), were actually contained in Bill C-28, Canada’s Anti-Spam Legislation, which received Royal Assent last December.  Although most of that statute is not yet in force (and, as we noted on our Canadian Communications Law blog, may be delayed in coming into force by the federal election call), last week the Governor in Council proclaimed in force some of the consequential amendments in that bill that affect PIPEDA, leaving for proclamation at a later date those PIPEDA amendments that coordinate with new obligations in the Anti-Spam law itself.

Continue Reading...

No tort of invasion of privacy in Ontario

The Ontario Superior Court has held that there is no common law tort of invasion of privacy in Ontario (Jones v. Tsige, 2011 ONSC 1475) . In coming to its decision, the Court emphasized the existence of statutory schemes that govern privacy issues.

The plaintiff claimed that the defendant, her co-worker at a bank, had committed the tort of invasion of privacy by accessing the plaintiff’s private banking records without authorization.

The case law on this issue was mixed as some Ontario court decisions had accepted the existence of this type of tort and others had not.

Continue Reading...

Court of Appeal recognizes reasonable expectation of privacy in contents of work computer

In a judgment released last week, the Ontario Court of Appeal held that the appellant teacher had a reasonable expectation of privacy with respect to personal files stored on his work laptop. Specifically, R. v. Cole involved the discovery of nude images of a student on the appellant's laptop by the school's computer technician. The technician copied the images onto a disk for the school's principal and subsequently copied temporary internet files found in the laptop's browsing history onto another disk.

According to the Court,

[a]lthough this was a work computer owned by the school board and issued for employment purposes with access to the school network, the school board gave the teachers possession of the laptops, explicit permission to use the laptops for personal use and permission to take the computers home on evenings, weekends and summer vacation. The teachers used their computers for personal use, they employed passwords to exclude others from their laptops, and they stored personal information on their hard drives. There was no clear and unambiguous policy to monitor, search or police the teachers’ use of their laptops.

Continue Reading...

Facebook reaches agreement with German officials over privacy concerns

Yesterday, Facebook reached an agreement with German data protection officials in order to end a dispute over the social networking site’s “Friend Finder” application. Hamburg’s Data Protection Authority received complaints about the feature, which allows Facebook to send unsolicited email invitations to non-members through current members’ address books. The agreement comes as a response to legal proceedings launched by German officials last year against Facebook for accessing and saving the private data of non-members without their permission. For more information, see this article from the Globe and Mail.

The price of inaccuracy: Federal Court awards first damages for PIPEDA breach

David Elder -

This week, the Federal Court of Canada made its first damage award ever under the 10 year old Personal Information Protection and Electronic Documents Act (PIPEDA), awarding damages to a businessman in connection with the provision of inaccurate credit information by a credit reporting agency -- despite a failure to prove actual losses arising from the breach.

While the quantum of the damages awarded in Nammo v. Transunion of Canada Inc., was a modest $5,000 plus costs, the case establishes several important principles respecting the interpretation of PIPEDA and the availability of damages for humiliation stemming from a violation of the Act.

Continue Reading...

How much money is privacy worth?

According to two recent Federal Court decisions, privacy – though protected by the law - is not worth that much money when it comes to actual damage awards.

While most privacy complaints are resolved through the Office of the Privacy Commissioner of Canada, some cases are litigated in court with plaintiffs hoping to receive monetary compensation for privacy violations. Two such cases are Randall v. Nubodys Fitness Centres, 2010 FC 681 (CanLII) and Stevens v. SNF Maritime Metal Inc. 2010 FC 1137 (CanLII).

Continue Reading...

SCC gets its power lines crossed on privacy

David Elder -

This week, the Supreme Court of Canada released a decision that has important implications for the interpretation and application of section 8 of the Canadian Charter of Rights and Freedoms, as well as for privacy law generally. The problematic decision, which includes two sets of reasons concurring in the result and a strong dissent by the Chief Justice and Justice Fish, seems likely to provoke significant debate and potential uncertainty in its application.

In R. v. Gomboc, 2010 SCC 55, the Court considered the limits on the ability of law enforcement to use as evidence subscriber records obtained without a warrant from third party service providers, and more broadly, offered guidance as to what constitutes a reasonable expectation of privacy with respect to such records.

Continue Reading...

New strategy for data protection in the European Union

Yesterday, the European Commission released a draft strategy for the protection of individuals’ data entitled “A comprehensive approach on personal data protection in the European Union”.  The strategy is the result of public and stakeholder consultation throughout 2009 and 2010.  While the protection of personal data is currently a hot topic, this strategy is not the first time the European Commission has addressed issues of data protection and electronic privacy.  In 1995, the   European Union release the Data Protection Directive (95/46/EC), which was a milestone in the EU’s protection of personal data. The Directive, however, has struggled to keep up with the rapid pace of technological advancement, particularly in the area of social media.

The new strategy appreciates the challenges of modern technology and recognizes that the protection of electronic information cannot be seen as a purely national concern.  The strategy focuses on the strengthening of individual rights, through the provision of control and autonomy over one’s own personal data, and aims at providing users with greater information about who has access to their data and when such data has been viewed.  Most interestingly, the strategy calls for a “right to be forgotten” whereby individuals have the right to completely remove their data from electronic forums, such as social networking sites, if and when they no longer want to participate.

The goal of the Commission is to propose a new general legal framework by mid-2011 that will protect personal data in the EU for all sectors. Currently, the EU has left the door open for public response with the deadline for comment set as January 15, 2011.

PCI Security Standards Council Releases Version 2.0 of the PCI Data Security Standard and Payment Application Data Security Standard

On October 28, 2010, the PCI Security Standards Council released version 2.0 of the PCI Data Security Standard (DDS) and the Payment Application Data Security Standards (PA-DSS) reflecting input from the Council’s global stakeholders.  This latest version, effective January 1, 2011, is designed to provide greater clarity and flexibility to facilitate improved understanding of the requirements and eased implementation for merchants.  A summary of the changes can be found here.  The standards, detailed summary of changes and supporting documentation can be found here.

The PCI Security Standards Council was formed by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to provide a transparent forum in which all stakeholders can provide input into the ongoing development, enhancement and dissemination of the DSS, PIN Transaction Security (PTS) requirements and the PA-DSS.

Defendant granted discovery of Plaintiff's Facebook and MySpace profiles

A judge of the Supreme Court of New York State has recently held that information voluntarily placed on Facebook and MySpace pages are discoverable, and that doing so would not violate the plaintiff’s right to privacy.

The plaintiff, Romano, claimed that she sustained permanent injuries as a result of an accident and also that she could no longer participate in certain activities and her enjoyment of life was affected.  As part of its defense, the defendant brought a motion to obtain complete access to the plaintiff’s current and historical Facebook and MySpace pages and accounts on grounds that the plaintiff has uploaded certain information that would be inconsistent with her claims concerning the extent and nature of her injuries.

Continue Reading...

BlackBerry and Facebook - the Future of Electronic Service?

An Ontario Superior Court Justice has allowed the use of Facebook as a valid method for the service of court documents.  In a paternity suit where the mother could not find the father except on Facebook, Justice Cheryl Robertson allowed the mother to serve the father in a message over Facebook.  Justice Robertson believes that in today’s connected world, electronic service is the next logical step for the delivery of documents which may otherwise be undeliverable.

Since the Rules of Civil Procedure allow for substituted service when regular service is impractical, Justice Robertson argues that electronic means of service provide a practical solution. E-service is even more useful in the context of family law cases where litigants may be trying to avoid being found in anticipation of child support claims. In a paper she presented earlier this month, Justice Robertson points out that e-service has several advantages over regular service including speed and cost efficiency. Furthermore the person who is serving the document will know immediately if they have sent the documents to the wrong email address or know if a user has been active in checking their Facebook page through their recent activity log. While the use of e-service is on the rise, the judiciary may be slow in adopting it, as many judges may be unfamiliar with different electronic tools. Despite this, Justice Robertson is optimistic that over time the benefits of e-service will win over even the most skeptical opponents.

Privacy concerns over Facebook's "like" button

Canada's Privacy Commissioner Jennifer Stoddart has revealed concerns over Facebook's "like" button. While the Commissioner very recently announced the conclusion of a prior privacy investigation that began in 2008, she revealed that this new probe was only one of several other issues the Commission has with Facebook. When it was first implemented, the “Like” button was meant only for users on the Facebook website to indicate their preference for items posted on their friend’s Facebook pages. In April, Facebook began to offer its “Like” button to external websites leading to uncertainty over how the private information of users who clicked the button would be used. It is now estimated that over 350,000 websites have adopted the “Like” button with over 65 million clicks to the button a day. Despite these ongoing investigations by the Commissioner, Facebook’s Chief Privacy Counsel Michael Richter maintains that Facebook continues to be dedicated to giving users control over their private information.

Quebec Court of Appeal upholds right to privacy in unreasonable surveillance case

Compagnie d’assurances Standard Life c. Tremblay, 2010 QCCA 933 (CanLII)

On May 11, 2010, the Quebec Court of Appeal issued a definitive judgment in support of privacy rights in the case of Standard Life v. Tremblay. Upholding the trial decision, the Quebec Court of Appeal maintained the damages awarded which included a punitive sum of $100,000.00 to the plaintiff Tremblay against Standard Life Insurance Company (Standard Life).

Continue Reading...

Amendments to Alberta's Health Information Act come into force on September 1, 2010

Recent amendments to Alberta’s Health Information Act, and related regulations, come into force on September 1, 2010.  The amendments touch on a range of issues including the applicability of the statute, sharing of electronic health records, the creation of health information repositories and additional investigative powers for the Information and Privacy Commissioner of Alberta.

Continue Reading...

Bill C-29 proposes to enhance current private-sector privacy legislation

Bill C-29, a proposed amendment to the Personal Information Protection and Electronic Documents Act (“PIPEDA” or the “Act”), seeks to enhance the private-sector privacy legislation in Canada.

Bill C-29 which was first read on May 25, 2010, is expected to provide clarification for insurers, corporations and federal employers, who under the existing PIPEDA provisions have voiced uncertainty as to what investigative steps they can take without violating Canadian privacy laws.  The current PIPEDA provisions allow for the collection, use and disclosure of personal information, without consent, only when there is a breach of contract or law.  The Privacy Commissioner has been of the view that under the current PIPEDA provisions, the mere suspicion of a crime or a breach of contract is not grounds for an investigation in the private-sector.

If passed, Bill C-29 proposes amendments which include clarification of the meaning of “lawful authority” pursuant to Section 7 of the Act, and the collection and use of witness statements where it is necessary for an insurance claim.  Ultimately, the Bill would permit organizations to access this information without the knowledge or consent of an individual for the purposes of preventing fraud and other unlawful activity.  Amendments to the Act contained in Bill C-29 would affect mainly those involved in insurance, employment, and corporate due-diligence investigations.

Federal Court restricts definition of "commercial activity" under PIPEDA

State Farm Mutual Automobile Insurance Company v. The Privacy Commissioner of Canada et al., 2010 FC 736

On July 9, 2010, the Federal Court of Canada restricted the scope of the definition of “commercial activity” under the Personal Information Protection and Electronic Documents Act (PIPEDA), when it was asked to determine whether the provisions of PIPEDA apply to evidence collected by an insurer, on behalf of an insured, in a tort action.

Continue Reading...

Facebook users will now have the option to "opt-in" before third-party applications can access their data

Prompted by meetings with the Office of the Privacy Commissioner of Canada (OPC) earlier this year to improve its privacy settings, Facebook has announced that users can now choose an “opt-in” option before allowing third-party applications to access their personal information.  This will allow the website’s users to see exactly which parts of their personal data third-party applications will need before they choose to download them.

Previously, third-party applications were required to ask for a user’s permission before accessing any personal information, but they were not asked to specify exactly what information was needed.  Now, third-party applications must list exactly what information they will need, such as photos, videos or friends’ lists.  The new privacy settings also allow users to give permission to a third-party application before it can access their friends’ data.
Although the option to “opt-in” is a welcome change from the option to “opt-out”, most third-party applications must still be allowed to access all the data before they can run.

Apple updates privacy policy

On June 21, 2010, Apple updated its privacy policy making it easier for the company, its partners and licensees to "collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device."

Location-based services are becoming big business in everything from mobile advertising to on-demand multimedia services. Individuals can already use applications such as Clip Mobile’s coupon application to receive deals, sign into FourSquare to let their social networks know where they are, and get turn-by-turn navigation details on their smartphones.

Apple maintains that the location-based data collected by Apple will be anonymous, and will be used only to offer specialized location-based services to its users. 

The changes have prompted two Congressmen (Texas Republican Joe Barton, co-chairman of the House Bi-Partisan Privacy Caucus and Massachusetts Democrat Edward Markey) to write a joint letter to Apple CEO Steve Jobs, asking him to explain the changes made by the company to its user privacy policy by 12 July.

The changes will affect nearly all Apple-users as individuals must agree to the new privacy policy in order to download anything from the iTunes store. There currently appears to be no way to opt-out of this data collection without giving up the ability to download apps.

Amendments to Alberta's PIPA come into force

A post on Slaw today contains a discussion of Alberta's Personal Information Protection Amendment Act, 2009 by Stikeman Elliott partner Wesley Ng. Specifically, Mr. Ng considers the new requirements respecting written policies and procedures and notification.

Canadian Government re-introduces anti-spam legislation

Justine Whitehead

On May 25, 2010, the Canadian government introduced Bill C-28, an act that would establish the federal Fighting Internet and Wireless Spam Act (“FIWSA”), and make significant consequential amendments to other federal legislation, including Canada’s Competition Act; Telecommunications Act; and Personal Information Protection and Privacy Act (PIPEDA).

Continue Reading...

Facebook responds to public outcry with new privacy settings

Responding to the latest public outcry, Facebook CEO Mark Zuckerberg recently announced a number of new policies and settings; however, the changes may not be enough to satisfy regulators and critics. The Office of the Privacy Commissioner of Canada (OPC) recently responded to Facebook’s new privacy settings, warning that Facebook has not gone far enough to satisfy its commitments to the OPC.

Continue Reading...

Government of Canada moves to enhance safety and security in the online marketplace

The Canadian federal government is taking aim at improving the security of Canadian online commerce. 

The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), announced a series of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA).

Continue Reading...

Two courts rule on identity protection for online commentators

Courts in Nova Scotia and Ontario recently issued conflicting decisions on the ability of a plaintiff to compel a website to reveal the identities of online commentators.In both cases, the plaintiff in a defamation suit sought the identities of individuals who had posted allegedly defamatory comments to a website.In the Nova Scotia case, the court granted the order; in Ontario, the court refused it.The Ontario decision made it clear that such orders are not automatic – the court must be satisfied that there is a prima facie case for defamation, and must also weigh the public interest in disclosure against the freedom of expression and privacy interests of the parties. These issues were not addressed in the Nova Scotia decision.

Continue Reading...

Personal Information Protection Act amendments proclaimed in Alberta

Barbara B. Johnston, Gary T. Clarke, Birch K. Miller and April Kosten

Effective May 1, 2010, amendments to Alberta's Personal Information Protection Act (PIPA) are in force, which provide new and notable requirements applicable to organizations.

Notification respecting service providers outside of Canada

Organizations that use service providers outside of Canada to collect personal information about individuals or that transfer personal information to service providers outside of Canada must notify individuals of:

  • the ways in which they may obtain access to written information about the organization's policies and practices with respect to service providers outside of Canada; and
  • the person who is able to answer questions on behalf of the organization about the collection, use, disclosure or storage of personal information by service providers outside Canada.

Such notification must be provided before personal information is collected by, or transferred to, the service provider.

Continue Reading...

Facebook publishes natural language privacy policy

In November 2009, Facebook responded to privacy concerns by publishing a new, natural language privacy policy. The new policy will first be available for public review and comment, before eventually replacing the current “legalese” version. Last August, Facebook was forced to change its privacy policy, in response to a complaint filed by a Canadian law student with Canada’s Privacy Commissioner. The natural language privacy policy reflects Facebook’s goal to improve “transparency and readability”, according to communications and public policy executive Elliot Schrage.

The Genetic Information Nondiscrimination Act (GINA) Comes into Force in the U.S.

In 2008, the U.S. enacted the Genetic Information Nondiscrimination Act of 2008 (GINA) to prohibit discrimination in health coverage and employment based on genetic information. While many states have already enacted legislation that prohibitions discrimination based on genetic information, the degree of protection provided by state laws varies widely and the federal act provides a minimum baseline of protection. GINA prohibits health insurers or administrators from requesting or requiring genetic information from an individual or an individual’s family members. GINA also prohibits employers from using genetic information on any decisions regarding employment.

U.S. federal agencies publish final model GLBA privacy form

On November 16, 2009, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; the Federal Trade Commission; the Commodity Futures Trading Commission; and the Securities and Exchange Commission (collectively, the Agencies) published a final rule amending the rules that implement the privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA). Pursuant to the final rule, the Agencies are adopting an optional model privacy form that financial institutions may rely on as a safe harbour and that will satisfy their privacy notice obligations under the GLBA. The final rule will come into effect on December 31, 2009.

The model form replaces the “sample clauses” previously contained in the Agencies’ privacy rules and used by many financial institutions in their GLBA notices as a safe harbour. The Securities and Exchange Commission is eliminating the guidance associated with, and the other Agencies are eliminating the safe harbour permitted for, notices based on the sample clauses if the notice is provided after December 31, 2010.

The final rule includes three versions of the model form: (1) a model form with no opt-out; (2) a model form with opt-out by telephone and/or online; and (3) a model form with opt-out by telephone, online and/or mail-in.

Schuster v. Royal & Sun Alliance Insurance Company of Canada

An Ontario Court judge recently rejected Royal & Sun Alliance Insurance Co.’s bid to see a woman’s Facebook profile in a case where the woman was suing to recover for injuries suffered in a car crash. The judge stated that the plaintiff’s privacy would be respected unless the defendant could prove a legal entitlement to the ruling. The judge gave the defendant an opportunity to cross-examine the plaintiff to try to prove a legal entitlement, but refused to do anything further. This decision represents a slightly stronger stance towards privacy than the Leduc v. Roman case discussed in an earlier post

Continue Reading...

Canadian Privacy Commissioners provide guidance on workplace privacy in the time of a pandemic

In response to inquiries from organizations seeking clarification as to the application of privacy laws in the private sector workplace during the H1N1 pandemic, the Office of the Privacy Commission of Canada, together with the Office of the Information and Privacy Commission for British Columbia and the Office of the Information and Privacy Commission of Alberta published a guidance document on the issue.

The federal Personal Information Protection and Electronic Documents Act, and the provincial privacy legislation in Alberta, British Columbia and Quebec apply in the usual way in the event of “non-emergency” situations. However, in the event of the declaration of a public emergency, the powers to collect, use and disclose personal information to protect the public health may be very broad. Orders issued under public health legislation could require the collection, use and disclosure of certain information relating to employees and customers, which collection would not be impeded by private sector privacy legislation.

The guidance document encourages employers to provide employees with information on prevention rather than asking employees personal questions that go beyond what is reasonable and minimally necessary.

CRTC sets Canadian "net neutrality" framework

Canada's federal telecommunications regulator, the Canadian Radio-television and Telecommunications Commission (CRTC), has recently released a regulatory policy decision clarifying its legislative authority within Canada's Telecommunications Act to police discriminatory internet traffic management practices by ISPs and its position in favour of net neutrality. In addition, this decision also enhances the protection of personal information collected by ISPs by seeking to “impose a higher standard than that available under PIPEDA in order to provide a higher degree of privacy protection for customers of telecommunications services.”

Continue Reading...

Alberta Court of Appeal addresses employees' expectation of privacy in the workplace

In June 2009, the Alberta Court of Appealhad the occasion to consider the expectation of privacy of employees with respect to their workplace computers and found that an employer is “entitled not only to prohibit use of its equipment and systems for pornographic or racist purposes but also to monitor an employee’s use of the employer’s equipment and resources to ensure compliance.”

The case of Poliquin v. Devon Canada Corporation (2009 ABCA 216) examined the availability of a summary judgment motion in a wrongful dismissal case. Mr. Poliquin was terminated from his position as a senior supervisor at Devon Canada after 26 years of service for, among other things, using a workplace computer to access and exchange pornographic and racist emails.

Continue Reading...

Guidance on covert video surveillance in the private sector

The Office of the Privacy Commissioner of Canada (OPC) issued a guidance document outlining the privacy obligations and responsibilities of private sector organizations contemplating and engaging in covert video surveillance.

The OPC notes that it considers covert video surveillance to be an extremely privacy-invasive form of technology, the use of which should only be considered in the most limited cases. 

The guidance document notes that capturing images of identifiable individuals through covert video surveillance is considered to be a collection of personal information, irrespective of the fact that it may occur in a public place, and as such, is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA).

Continue Reading...

No privacy in trash, Supreme Court holds

Even when it's sitting on your property awaiting collection, garbage - and the private information it contains - may be vulnerable to police and public scrutiny

Karen E. Jackson, Wesley Ng and Andrew Cunningham

R. v. Patrick
Supreme Court of Canada, 2009 SCC 17 (April 9, 2009)

This Supreme Court of Canada ruling, which arose in the context of a criminal drug prosecution, underscores the importance of careful disposal of documents containing confidential information or other information that could potentially be embarrassing or damaging to your company's interests. The essence of the Court's ruling is that waste left for disposal "at the curb" - and the information it contains - is fair game for police search and seizure, and arguably for perusal by reporters or members of the general public as well. Even where trash is left for pick up on your own private property, it can be vulnerable if it can easily be reached from public property. The lesson is never to dispose of sensitive material by leaving it for pick-up on the periphery of one's property. Lockable bins, fencing, signage and other indicia of an intention to maintain control of refuse until it can be securely transferred into disposal vehicles are key to keeping your trash out of the hands of those who would recycle it into a gold mine of information about your business.

Continue Reading...

Cross-examination of plaintiff allowed on supplementary affidavit of documents regarding content of Facebook profile

Leduc v. Roman, 2009 CanLII 6838 (Ont. S.C.J.).

Alex Colangelo

Existence of Facebook profile allowed for inference that private portion of profile may contain relevant material

The parties in this case were involved in a motor vehicle accident in 2004. The plaintiff subsequently initiated an action claiming that the defendant’s negligence resulted in a lessened enjoyment of life. Sometime after Mr. Leduc’s examination for discovery, defence counsel discovered that the plaintiff maintained a Facebook account. The privacy settings on the account, however, restricted access to his profile, resulting in only the plaintiff’s name, city of residence and profile photograph being accessible to the defendant.

Continue Reading...