Canadian Technology & IP Law : Canadian Technology Lawyers & Attorneys : Stikeman Elliott Law Firm : IP Law in Toronto, Montreal, Calgary, Ottawa & Vancouver

The Court of Appeal defined the tort “intrusion upon seclusion”:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

The Court noted that proof of actual loss is not required and gave examples of private matters that can objectively be described as highly offensive: one’s financial or health records, sexual practices and orientation, employment or private correspondence. Tsige was able to access Jones’ banking transaction details, as well as personal information such as date of birth, marital status and address.

Despite the absence of any statutory private right of action between individuals in Ontario (unlike in a number of other Canadian, American and Commonwealth jurisdictions), privacy has long been recognized as an important underlying and animating value of various traditional common law causes of action to protect personal and territorial privacy. The Court pointed to the explicit recognition of a right to privacy underlying certain Charter rights and freedoms, and to the principle that the common law should be developed in a manner consistent with Charter values in choosing to expand the common law.

According to the Court,

[i]t is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

Sharpe J.A. ruled that damages for intrusion upon seclusion in cases where the plaintiff has suffered no monetary loss should be modest but sufficient to mark the wrong that has been done. He fixed the range at up to $20,000 on a sliding scale loosely based on factors including the nature of the wrongful act, the effect on the plaintiff’s health, social, business or financial position, any relationship between the parties, any distress, annoyance or embarrassment suffered, and the conduct of the parties including any apology made by the defendant. In the present case, since Tsige’s actions were deliberate and arose from a complex web of domestic arrangements likely to provoke animosity and did, but Jones suffered no public embarrassment or harm to her health, social, business or financial position and Tsige apologized for her conduct, the mid-point of the range was chosen.

In deciding in favour of Leon’s, the Alberta Court of Appeal made a few notable findings:

1. The court recognized that the privacy statute identifies two competing values, the right to protect information and the need to use it – one does not trump the other and a balancing is called for.
    
2. The “reasonableness” standard imposed under Section 11 of PIPA only requires organizations to collect personal information to the extent it is reasonable for meeting the purposes for which the information is collected, and “[i]t is not open to the [Commissioner] to change ‘reasonableness’ to either ‘necessity’, ‘minimal intrusive’, or ‘best practices’. These are not interpretations that are available given the plain wording of the statue.”
    
3. The “reasonableness” standard does not require business to defer, in all instances, its interest to that of an individual’s privacy interest. “[The Commissioner] is not empowered to direct an organization to change the way it does business, just because the [Commissioner] thinks he has identified a better way. So long as the business is being conducted reasonably, it does not matter that there might also be other reasonable ways of conducting the business”.

The Court of Appeal’s decision is an important win for private sector businesses, and needless to say, the Alberta Privacy Commissioner Frank Work was dismayed with the SSC’s dismissal of its appeal. In his news release, the Commissioner expressed his concern that the decision “could be used to challenge what were thought to be reasonable, nationally accepted limits on the collection of personal information by private sector organizations. We are moving backwards.”

Overall, the Court of Appeal’s interpretation of the privacy act is an important one for business in Alberta and B.C., which has privacy legislation similar to PIPA. Although the privacy legislations governing personal information differ across the provinces, territories and federally, the message from Alberta may translate into other jurisdictions to limit the Commissioner’s discretion. Whether this judgment alters the decisions of privacy commissioners in future dealings with businesses remains to be seen.

What is Cloud Computing?

The term "cloud computing" has been used to refer to almost anything from the ability to access virtual servers over the Internet to the consumption of any information technology service situated outside an organization's infrastructure. The more precise technical meaning, however, is expressed in the following draft definition published by the U.S. Government's National Institute of Standards and Technology:

[A] model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

As this suggests, the key feature of cloud computing is the ability to access a remote, shared IT infrastructure on an as-needed basis. 

Benefits of Cloud Computing

There are many benefits of cloud computing, including that organizations that use cloud computing are not required to maintain their own localized infrastructures to support the services; rather, they pay for the use of technology resources only when and to the extent that they actually need them. As a result, users can avoid the expense of setting up and looking after in-house infrastructure. Among other things, this allows organizations to replace up-front capital expenditures with a more fluid operational expenditure that more closely tracks actual business activity. Further, because cloud computing services are available to multiple users leveraging the same infrastructure, the cloud service provider is typically able to achieve significant economies of scale, producing additional savings for its customers.

Federally Regulated Entities under OSFI Guideline B-10

Guideline B-10 of the Office of the Superintendent of Financial Institutions (Canada) (OSFI) governs cloud computing arrangements (and other outsourcing agreements) entered into by Federally Regulated Entities (FREs).  For the purposes of the Guideline, the term "FRE" encompasses all Canadian banks, insurance companies, fraternal benefit societies, trust and loan companies and cooperative credit associations and Canadian branches of foreign banks and insurance companies.

Guideline B-10 imposes overall accountability and control requirements, and requires an assessment of the materiality of an outsourcing arrangement and the implementation of a risk management program (the scope and nature of which will vary depending on the materiality of the outsourcing arrangement in question).

B-10 and Cloud Computing

Many of the issues that cloud computing raises for FREs are not unique to cloud computing; they exist in the context of any outsourcing. Nevertheless, cloud computing involves a host of inherent risks, including the use of shared resources; the use of multiple dynamic data transfer routes (to minimize bandwidth usage); dependency on a commoditized, non-customized, volume-based solution; and the use of infrastructure scattered over multiple locations (often in low-cost centres with minimal legislative data protection obligations). The significance of the issues involved in cloud computing will largely depend on the materiality and nature of the services obtained. It would be prudent for FREs to consider the following issues in connection with the development of their cloud computing strategies:

1) Data commingling and segregation
The use of shared virtual infrastructure may create data commingling and segregation issues. B-10 requires service providers to be capable of isolating an FRE's data, records and items in process from those of other customers at all times. As a precondition of entering into a cloud computing arrangement which is subject to B-10, an FRE must therefore determine whether the cloud service provider can offer the service in a manner that permits proper data segregation.

2) Accessibility of confidential information
The nature of cloud computing - including the ability for multiple entities to access shared resources and the use of multiple locations across low cost regions - can create data security and privacy issues. B-10 requires the FRE to ensure that security and confidentiality policies of the cloud computing service provider are commensurate with those of the FRE, which should ensure that all necessary protections are in place to secure the confidentiality of the data provided to the cloud infrastructure. In particular, contractual provisions should clearly define who has responsibility for protection mechanisms, the information that is covered by such protections, the ability of either party to modify security procedures and requirements and notification obligations of the cloud service provider should any confidentiality or security breach occur.

3) Business continuity
The FRE's business continuity plans must address all reasonably foreseeable situations in which a cloud service provider may be unable to continue to provide services at the required levels. Most importantly, in the context of any business interruption affecting the cloud service provider, the FRE should ensure that it has access to all necessary records to allow it to continue its business operations and meet any statutory obligations or other obligations to OSFI.

4) Data location
A cloud service provider's infrastructure and software may be dispersed across multiple locations across the globe. This may be problematic for FREs since B-10 requires the contract governing the provision of the cloud services to identify the nature and scope of the services, including specification of the physical location where the services are being provided. While this may be possible at the outset of a cloud computing arrangement, the dynamic nature of cloud computing means that regular updates should be contemplated under the contract in order to address any shift in the location of the information technology infrastructure supporting the services. In addition, contractual provisions to address any deficiencies in legislated privacy protections and issues relating to access rights of foreign governments and their regulatory agencies should be considered.

5) Subcontractors
Many cloud service providers enter into subcontracts for additional virtual technology infrastructure on an as-needed basis. FREs need to ensure that subcontracting limitations are imposed to ensure that all such subcontractors are subject to the same security, confidentiality and audit obligations as the cloud service provider.

6) Monitoring cloud arrangements
The nature of cloud computing can make monitoring and auditing the arrangements difficult. B-10 requires that the FRE be able to monitor the services to ensure that they are being delivered in accordance with the FRE's requirements. The FRE must be capable of evaluating the cloud service provider from time to time, including its internal controls (which may be satisfied through the provision of a SAS70 or analogous control report). The FRE must carefully consider how best to ensure that the necessary monitoring can occur, based on the service model and geographic territory of the services being provided, as well as on the level of monitoring required (given the risks presented by the cloud computing arrangements in question).

7) e-Discovery
While not specific to FREs, some thought should be given to the growing need to facilitate e-discovery (the production of electronic data and information required in the "discovery" process that occurs when a lawsuit is initiated). The use of cloud computing could lead to delays and costly efforts to produce relevant materials due to data commingling or data dispersion across locations and/or service providers.

Know the Challenges - Address the Risks

Virtually all organizations' IT business plans include at least some outsourcing of IT functions to third parties. Because cloud computing offers so many advantages, its adoption is, for many companies, a question of "when" rather than "if". Security and other challenges faced by FREs in the context of cloud computing are not unique to FREs, but are more pronounced due to the need to comply with B-10. While in certain contexts the challenges and compromises inherent in cloud computing may preclude its adoption by the FRE, in most cases cloud computing will work well, provided that the FRE carefully considers the relevant issues before entering into any agreements.

The appellant's reasonable expectation of privacy, however, was limited to the extent that the school's technician could access the laptop to ensure the integrity of the school's network. In this case, the technician had accessed the appellant's laptop through the school server to investigate the possibility that the laptop had become infected by a computer virus. During the course of his work, the technician came across the offending images. Ultimately, therefore, the Court of Appeal concluded that  the search by the technician and the subsequent search and seizure of the laptop conducted by the principal and school board did not violate the appellant's Charter rights. Meanwhile, the transfer to police of the disk containing the offending images, and the viewing of the images by police, did not constitute a search or seizure, since the photographs were taken from the school's network using the school's computer and were the subject of the privacy interest of the student. As such, the appellant had no privacy interest in the photographs themselves.

The appellant's privacy rights under section 8 of the Charter were found to have been violated, however, by the warrantless police search and seizure of the laptop itself. According to the court of Appeal, "[t]he technician’s discovery of the photographs during the course of his implied right of access did not vitiate the appellant’s reasonable expectation of privacy in the contents of his laptop in relation to the police." The Court of Appeal found a similar privacy interest in the appellant's personal internet browsing history.

Ultimately, therefore, the Court of Appeal found that the laptop and the mirror image of its hard drive taken by the police should be excluded from the evidence, as should the disk containing the temporary internet files.

The case concerned a businessman who sought a bank loan in order to launch a trucking business with a partner.  The loan was rejected by the bank based on an inaccurate credit profile for the applicant, which subsequently was discovered to include the credit history of another individual with a different name, date of birth, Social Insurance Number and address history.

The case marks the Court’s first consideration of Clause 4.6 of Schedule 1 to the legislation, which requires that personal information held by an organization must be “as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.”  Justice Zinn rejected the respondent’s argument that there is no breach of “the Accuracy Principle” where an organization responds adequately to correct inaccurate information after it is brought to its attention, finding that while such rectification may be a factor to consider in determining an appropriate remedy, it cannot be used as “an escape hatch” to avoid a finding of a breach of the principle itself.  Justice Zinn similarly found that neither prior notification of inaccuracy, nor industry standard practices, nor commercial efficiency were relevant to assessing whether the Accuracy Principle had been breached.

In the first Federal Court damage award under s. 16 of PIPEDA, Justice Zinn awarded damages for humiliation for violation of the Accuracy Principle of the Act, finding “a serious breach involving financial information of high personal and professional importance.” It is noteworthy that damages were awarded despite little apparent evidence in this regard, with the judge finding that a reasonable person would have been humiliated by having their loan application turned down, having to convey to their business partner that their credit was “bad” and living with the taint of uncreditworthiness before their bank, in addition to undergoing the process to have the error corrected.

On the question of jurisdiction, Justice Zinn found that, while the Federal Court, on conducting a hearing de novo pursuant to s. 14 of PIPEDA, does not have jurisdiction to consider matters that were not complained of to the Privacy Commissioner of Canada in the complaint on which the rehearing is based, the Court’s jurisdiction is constrained only by the factual issues raised before the Privacy Commissioner, not by the particular clauses of the legislation considered by the Commissioner or her legal characterization of the factual issues raised.

Randall involved a situation where an employee’s attendance at a fitness club was regularly reported back to his company which paid half of his monthly fees as part of his benefits package. While the Federal Court agreed that this constituted a violation of his privacy rights, the Court did not award any damages stating that only egregious breaches such as video-taping and phone-line tapping warranted compensation. In Stevens, the Federal Court reached the same conclusion and found that while the applicant’s rights were violated when his company accessed his personal account information, the wrong was not malicious and therefore did not warrant an award of damages. The Court noted that the company then voluntarily put into place a confidentiality policy which would help prevent these situations in the future. 

From these decisions, the Federal Court has shown that while privacy violations are readily recognized and condemned, they will rarely result in any monetary compensation. While Michael Geist states that this may have the unintended consequence of diminishing respect for privacy compliance due to a focus on the bottom line, it is important that companies recognize the other costs involved in breaching privacy - such as a damaged reputation and the cost of litigation. It is always advisable for companies to have and follow privacy policies which will protect both themselves and their employees.

Tremblay was covered under a disability plan provided by Standard Life and started to receive disability benefits following a severe car accident. After being re-examined, the Standard Life medical consultant reported his doubts about Mr. Tremblay’s disability and suggested surveillance of Mr. Tremblay. Standard Life then proceeded to monitor Mr. Tremblay on 5 different occasions over a period of about one year with each time averaging 3 days. 

During the second surveillance session, the investigators mistakenly recorded Mr. Tremblay’s brother and therefore believed they were capturing Mr. Tremblay engaging in very active tasks such as putting up Halloween decorations. Having been shown the erroneous recording, Standard Life’s neurosurgeon Dr. Francoeur concluded that Mr. Tremblay was not in pain and that Standard Life should cease paying the disability benefits.

At the heart of the Quebec Court of Appeal’s decision is an unmistakable endorsement of Mr. Tremblay’s privacy rights. Citing the first instance judge, the court agreed that Standard Life committed a fault in ordering the surveillance without good reason and that this amounted to a significant violation of his privacy.

Furthermore, the Court deferred to the trial judge’s assertion that Mr. Tremblay’s dignity was ruined and his reputation damaged. Following the definition of dignity set out in Quebec (Public Curator) v. National Union of Employees of the Hospital of St. Ferdinand [1996] 3 S.C.R. 211 which includes self-respect and respect from others, the Court agreed that he was treated as a liar due to Standard Life’s unwarranted surveillance. The Court concluded that Mr. Tremblay suffered prejudice because of Standard Life’s actions and that the information they obtained was in fundamental breach of Mr. Tremblay’s right to privacy.

Of great significance in this case is that the Court maintained the punitive damages award given by the first instance judge. While rarely awarded in Canada, punitive damages symbolize a Court’s desire to punish a litigant who has behaved particularly egregiously. The fact that the Court endorsed this penalty against Standard Life sends a very strong message that unjustified intrusions into the private lives of citizens will not be tolerated.

Having already upheld a punitive damages award in a similar decision (Veilleux v. Compagnie d’assurance-vie Penncorp, 2008 QCCA 257) the Quebec Court of Appeal through this decision signals the growing willingness of courts to intervene when privacy rights are violated. 
 

On September 1, 2010, new legislation pertaining to health information comes into force in Alberta.  The Health Information Act (Act), which provides “custodians” of health information a framework within which to manage the collection, use and disclosure of patients’ health information, and associated regulations will be amended in four significant ways.  First, by reason of an amendment to the definition of “custodian”, the Act will now apply to privately-funded health services.  Previously, among health care service providers, only those paid under the Alberta Health Care Insurance Plan were considered “custodians” and thus bound by the Act.  Second, the amendments create regulation for Alberta Netcare, a means of storing and sharing electronic health records.  Most controversially, health professionals can be compelled to make certain elements of their patients’ health information accessible to other custodians via Alberta Netcare.  Those elements of health information are enumerated in section 4 of the Alberta Electronic Health Record Regulation and include uniquely identifying personal demographic information, immunizations, key clinical events, laboratory results and “other medial reports”.  There are two circumstances in which health professionals can be compelled in this manner.  Either a professional governing body (such as the Alberta Medical Association) can mandate disclosure or the Minister responsible for the Act can do so if “it is in the public interest”.  The Minister, however, may only compel the disclosure upon consultation with the relevant professional governing body and after preparing a privacy impact assessment reviewed by the Information and Privacy Commissioner of Alberta.  The third significant amendment establishes “health information repositories”.  The role of these entities is unclear but the amendments provide that their powers and duties may be further clarified in regulations.  The amendments do state, however, that custodians of health information may disclose individually identifying information to these repositories.  Lastly, the amendments confer on the Information and Privacy Commissioner of Alberta the additional power to exchange information and enter into agreements with other provincial privacy commissioners to coordinate activities and investigate multi-jurisdictional complaints.

Specifically, State Farm Mutual Automobile Insurance Company (State Farm) had used video surveillance to inquire about the activities of a third party (Plaintiff) who had brought an action against an insured of the insurer in connection with a motor vehicle accident (State Farm has a duty to defend such an insured pursuant to New Brunswick insurance laws).  The Plaintiff subsequently made a request to State Farm that, pursuant to PIPEDA, all information collected in the course of its investigation be disclosed to him. State Farm indicated that PIPEDA did not apply and denied the request. The insurer had also claimed litigation privilege over the surveillance tapes and associated documentation. The Plaintiff subsequently complained to the Privacy Commissioner of Canada (Commissioner) who decided to proceed with an investigation in connection with the Plaintiff’s complaints.

In this case, State Farm sought an application for judicial review to challenge the decision of the Commissioner to proceed with her investigation.

State Farm argued that such an investigation was not within the jurisdiction of the privacy legislation, which would compel the insurer to provide access to information that would otherwise be covered by solicitor-client privilege or litigation privilege. The Commissioner argued that because the relationship between the insurance company and the insured was for services paid, this was a “commercial activity” as defined in PIPEDA and therefore fell within the scope of her jurisdiction.

The Court found that, pursuant to subsection 4(1)(a) of PIPEDA, “commercial activity” applies to every organization with respect to personal information that “the organization collects, uses or discloses in the course of commercial activities.” However, the Court concluded that if this is read with respect to the logic of the Commissioner, PIPEDA would impede on client privilege or litigation privilege, which was not the intention of Parliament in adopting the act. It concluded that the purpose of PIPEDA is to protect personal information that is collected, used or disclosed in the course of commercial activity in the Canadian market, and that in this particular case the primary activity was not commercial, but rather simply incidental, and should therefore remain exempt from PIPEDA. 

The Court ordered that where the organization being investigated raises solicitor-client or litigation privilege, the Commissioner’s investigative authority is limited. It granted the application for judicial review, declared the Commissioner’s decision invalid and awarded costs to State Farm.

Bill C-28 is extremely similar in substance to Bill C-27, which was introduced in April 2009 and titled the Electronic Commerce Protection Act. Bill C-27 received unanimous support in the House of Commons following its third reading, but it died upon prorogation in December of 2009 while at the Standing Senate Committee on Transport and Communications. Given the strong resemblance between the two bills, many expect that Bill C-28 will move quickly through the legislative process. 

Like its predecessor, Bill C-28 was designed to reduce unsolicited or junk e-mail, commonly referred to as “spam”. Most importantly, the legislation aims to bolster consumer confidence in electronic commerce, which the government has described as necessary in order to position Canada as a leader in the digital economy. The bill incorporates a number of the legislative recommendations made in 2005 by the government-mandated “Task Force on Spam”. The proposed FIWSA aims to regulate activities such as spam, counterfeit websites (known as “phishing”) and spyware. 

The FIWSA would also establish a regime whereby the Canadian Radio-television and Telecommunications Commission (“CRTC”), Competition Bureau of Canada and the Office of the Privacy Commissioner could share information and evidence with law enforcement agencies outside Canada, in an effort to enforce similar international laws and pursue violators beyond Canadian borders. Currently Canada is the only G8 country and one of only four OECD (Organisation for Economic Cooperation and Development) countries without specific spam legislation. Thus, when the government first introduced Bill C-27 it was cast as a necessary step in fulfilling Canada’s international duty to join global partners in passing laws to combat spam and related cyber threats.   

Prohibitions

The anti-spam provisions remain largely unchanged from Bill C-28. They would prohibit sending (or causing or permitting to be sent) a commercial “electronic message” (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. Implied consent would apply to situations in which there is an existing business or non-business relationship between the sender and recipient, and to certain limited circumstances where the recipient has, within a business context, conspicuously published or disclosed the electronic address and the disclosure was not accompanied by any statement that the person did not wish to receive commercial messages (there is also a provision that would permit future regulations to further define implied consent). 

The FIWSA also sets requirements for the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow, or a specified electronic address to which an unsubscribe request can be sent. Requests must be given effect within 10 days. 

The anti-phishing provisions are drafted as prohibitions against “altering transmissions data”, and would prohibit the unauthorized redirection of an electronic message to a destination other than or in addition to that specified by the sender, except with the sender’s express consent. As with the anti-spam provisions, an electronic address must be provided to which the sender may give a notice of withdrawal of consent, and the request must be given effect within ten days.

Notably, the prohibitions in Bill C-28 are broader than those previously provided for in Bill C-27. The prohibitions in both bills apply to anyone who procures or causes to procure a prohibited act. However, the language in Bill C-28 has been extended to also apply where someone aids in or induces such an act. 

Administrative Monetary Penalties and Private Actions

Provisions of the FIWSA that would subject violators of the Act to an Administrative Monetary Penalty (“an AMP”) remain the same as those originally envisaged in Bill C-27. An individual who violates any of the foregoing prohibitions may be subject to an AMP of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, and agents of corporations that violate the prohibitions could also be held liable for such actions if they directed, authorized, acquiesced in or participated in the commission of the violation. 

Anyone charged under the Act can raise a due diligence defence. They must show that they exercised due diligence to prevent the violation, but there is no indication as to what actions will constitute due diligence. Furthermore, any relevant common law rule or principle that would create a justification or excuse may be relied on to the extent that it is not inconsistent with the Act. 

The process for imposing liability under the AMP is a fairly expedited administrative process, administered through the CRTC. A notice may be served where the CRTC has reasonable grounds to believe that a person has committed a violation under the FIWSA. The notice must include details of every act or omission for which the notice is served, the relevant provisions and the amount of the fine. The recipient of the notice has 30 days to respond, after which time he or she will be deemed to have committed the violation and will be liable to pay the amount set out in the notice. If the recipient does provide a response, the CRTC must decide on a balance of probabilities whether the violation was committed. Upon determining that there was a violation the CRTC may impose the original fine, impose a reduced fine, or may suspend payment of the fine subject to any conditions that it considers necessary to ensure compliance with the Act. Decisions of the CRTC can be appealed to the Federal Court of Appeal. However, where the issue is one of fact, leave to appeal must be granted by the Court. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.

One of the most controversial provisions of the Bill C-27 remains largely unchanged in Bill C-28. It would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing or anti-spyware provisions of the FIWSA. The application must include the alleged contravention, all relevant provisions, acts or omissions at issue, and should state the nature and amount of the loss, damage or expense. If the court is satisfied that the contravention occurred it may order the responsible individual(s) to pay the applicant compensation for any loss, damage or expenses incurred by the applicant. The court may also grant an additional award, up to a maximum of $200 per day for most contraventions, and $1 million for each day on which a contravention occurred. Again, officers, directors, or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.

That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act. These new provisions, discussed in detail below, would be brought into effect by the FIWSA.

The FIWSA would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual’s electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way. 

The FIWSA also proposes numerous amendments to the Competition Act, including the addition of section 52.01, which broadens the criminal false or misleading representation provisions of the Competition Act. This new section would prohibit knowingly or recklessly sending, for business promotion purposes: (i) a false or misleading representation in the sender or subject matter information of an electronic message; or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to a court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.

Impact on Other Statutes

The FIWSA, if enacted, would amend the Telecommunications Act to permit the government to either maintain the current “Do Not Call” list in such a way that it would not overlap with the FIWSA regime, or to have the responsibility for regulating telemarketing fall under the FIWSA entirely. 

Recent Changes to Privacy Settings

In the past, Facebook has been criticized for requiring users to adjust multiple buttons across several different pages to control privacy. The new simplified privacy controls aim to make this process easier by reducing and simplifying the number of privacy settings.

Users will also have the ability to set up lists of different kinds of friends. For example, family members, individuals from work, or teammates from sports can set different privacy preferences for each category of friend. Facebook’s “social plug-ins” will additionally allow users to set who can see their friends and show the pages they’ve "liked.” Previously, these fields were automatically made public.

Facebook has also made it easier to turn off the controversial “instant personalization” function, which allows people to share their information through other web services like Yelp, Pandora, and Microsoft Docs. Now, users can opt-out of this with one click.

Previous OPC Investigations of Facebook

The OPC conducted an in depth investigation of Facebook in response to complaints from University of Ottawa law students interning at the Canadian Internet Policy and Public Interest Clinic (CIPPIC). It struck a settlement with the social media company in 2009 to agree to comply with Canadian privacy laws.

The investigations and the settlement were followed by further changes to Facebook’s privacy settings and another OPC probe commenced this January 2010 in response to a complainant who “alleged that the new default setting [at that time] would have made his information more readily available than the settings he had previous put in place.”

OPC Response to Recent Changes

The OPC’s initial response to the recent changes indicates that the OPC believes that Facebook has not gone far enough to satisfy the commitments it made to the OPC in its 2009 settlement. The new settings do not affect what Facebook refers to as users’ “basic directory information”, including name and profile picture, pictures, gender and networks to the broader internet. The OPC remains concerned that users are still by default required to reveal personal information to the internet public when Canadian law demands greater user control.

Mosher v. Coast Publishing

On April 14, the Nova Scotia Supreme Court ordered a newspaper to help identify seven people who posted allegedly defamatory comments on the newspaper’s website.The case, Mosher v. Coast Publishing Ltd., 2010 NSSC 153, involved a Halifax-based newspaper, The Coast, which had published online a story about racism in Halifax’s fire service.

The Chief and Deputy Chief of the Halifax fire department sought to bring an action for defamation against the individuals who had posted the comments. Before the action could proceed, the would-be plaintiffs had to apply to the court for an order requiring The Coast to provide information about the web commentators, who had identified themselves only with pseudonyms.

In granting the order for disclosure of the information, Justice Robertson stated that “the court does not condone the conduct of anonymous internet users who make defamatory comments and they like other people have to be accountable for their actions.”

Warman v. Wilkins-Fournier

Warman v. Wilkins-Fournier, [2010] ONSC 2126 (S.C.J.), decided just a few weeks after Mosher, on May 3, was an appeal of an order to disclose information that could identify individuals who had posted allegedly defamatory comments on an internet message board managed by the defendants.In making this order, the motions judge had found that disclosure was mandatory because the information was relevant and not protected by privilege.

The Divisional Court’s appeal decision disagreed with this, noting that Charter values of privacy and freedom of expression weighed in favour of non-disclosure.The court held that where privacy interests are involved, disclosure is not automatic even if information is relevant and not protected by privilege.The court also noted the potential chilling effect on speech that would result if anyone could obtain information about the identity of online commentators simply by initiating an action. An appropriate balance, according to the court, is established by requiring that the plaintiff establish a prima facie case of defamation before disclosure can be ordered.

The decision in Mosher does not include any analysis of whether a prima facie case was made out, nor does it consider any balance of rights to be met in determining whether disclosure would be appropriate under the circumstances of that case.

Additionally, organizations that use service providers outside of Canada, must develop and follow policies and practices that identify:

• the countries outside of Canada in which collection, use, disclosure or storage of personal information is occurring or may occur; and
• the purposes for which service providers have been authorized to collect, use or disclose personal information for or on behalf of the organization.

Expanded definitions of "employee" and "personal employee information"

The definition of "employee" now includes individuals who perform a service for organizations as partners, directors or officers. This amendment allows organizations to collect, use and disclose personal information about their partners, directors and officers under PIPA's special provisions for personal employee information.

PIPA's definition of "personal employee information" has also been expanded to include personal information reasonably required for the purposes of "managing a post-employment or post-volunteer-work relationship." The expansion allows employers to collect, use and disclose personal information about former employees under PIPA's special provisions for personal employee information.

Retention and destruction of personal information

A new provision has been added to PIPA requiring organizations to destroy records containing personal information (or to render such information non-identifying) when such information is no longer reasonably required for legal or business purposes.

Notice to Individuals of security breach

The Alberta Information and Privacy Commissioner has been given the authority to require organizations that suffer a privacy breach to notify individuals to whom there is a real risk of significant harm. The Commissioner is able to exercise this power at any time and an individual complaint need not be filed.

If notification is ordered, the notice must include a description of the incident that led to the privacy breach, the time the incident occurred, a description of the personal information involved, information about any steps taken to reduce the risk of harm and contact information for a person who can answer questions about the breach.

New offence provisions

There are two new offence provisions. It is now an offence under PIPA to:

• fail to notify the Commissioner of a privacy breach that poses a real risk of significant harm to individuals; and
• take any adverse employment action against individuals who disclose a contravention of PIPA by their employer or fellow employees, who take action in order to avoid having any person contravene PIPA, or who refuse to do anything in contravention of PIPA.

All parties in a litigation have an obligation to disclose all relevant documents to the other side. The plaintiff did not disclose any information from Facebook and the defendant argued the plaintiff must have violated her obligation to disclose. The judge held that one could not assume that the plaintiff had relevant information on Facebook just because people normally put information on Facebook. 

The judge noted that the plaintiff had restrictive privacy settings and that she did not intend to share her information with the public at large. The judge allowed the defendant to cross-examine the plaintiff to ensure that all relevant information on Facebook had been disclosed.

In this decision, the CRTC sets out some ground rules to the internet traffic management practices (ITMPs) of internet service providers (ISPs) and attempts to balance the freedom of Canadians to use the Internet for various purposes with the legitimate interests of ISPs to manage the traffic thus generated on their networks, consistent with legislation, including privacy legislation. While the CRTC has deemed it inappropriate to create bright-line rules as to which types of ITMPs are acceptable, it has set out certain ground rules that:

• mandate ISPs to disclose their ITMPs to retail customers, including: (i) why they are being introduced; (ii) who is affected; (iii) when it will occur; (iv) what type of Internet traffic is subject to the traffic management; and (v) how it will affect an Internet user's experience, including its specific impact on speed;
• require prior regulatory approval for ITMPs applied by ISPs to their wholesale services that are more restrictive than those they apply to their own retail Internet services;
• require prior notice, followed by a waiting period, before implementing or making changes to ITMPs;
• prohibit the blocking of access to content unless prior approval is obtained from the CRTC;
• prohibit the use of ITMPs resulting in noticeable degradation of time-sensitive Internet traffic unless prior approval is obtained from the CRTC;
• provide a venue to challenge ITMPs that are unnecessary or disproportional; and
• protect consumer privacy interest by directing ISPs, as a condition of providing retail Internet services, not to use personal information collected for the purpose of traffic management for other purposes and not to disclose such information.

Additionally, the CRTC expects mobile wireless internet services to abide by the principles set out in this decision.

PIPEDA requires that organizations contemplating the use of covert video surveillance ensure that the collection, use or disclosure of such personal information is limited to purposes that a reasonable person would consider appropriate in the circumstances. The guidance document notes that what is considered appropriate in the circumstances involves an analysis of several factors, including whether:

•  there is a demonstrable, evidentiary need for the collection, beyond mere suspicion
•  the personal information collected is clearly related to a legitimate business purpose and objective
• the loss of privacy from the covert video surveillance is proportional to the benefit gained; and
• less privacy-invasive measures were exhausted prior to the implementation of covert video surveillance.

Under Rule 30.06 of Ontario’s Rules of Civil Procedure, a court may make certain orders, such as for the production of a document for inspection or the service of a further and better affidavit of documents, where it believes that relevant documents have been omitted from a party’s affidavit of documents. Relying on Rule 30.06, in June 2008 the defendant moved for, among other things, the production of all information on the plaintiff’s Facebook profile and the production of a sworn supplementary affidavit of documents. While the plaintiff consented to producing a supplementary affidavit of documents, the production issue remained unresolved.

At the motion level, while Master Dash recognized that Facebook profile pages are “documents” for the purposes of the Rules of Civil Procedure, he refused to order the production of the Facebook pages. According to Master Dash, the defendant’s request, based simply on the evidence that Facebook profiles typically include such things as photographs, was “clearly a fishing expedition.”

On appeal, Justice Boswell considered the case of Murphy v. Perger, [2007] O.J. No. 5511 (Ont. SCJ), which also dealt with the production of a limited-access Facebook profile. In Murphy, the Court had ordered production of documents posted on the plaintiff’s private profile based on photographs on the publicly-accessible portion of her profile showing the plaintiff engaged in various social activities. The Court in Murphy found that the nature of Facebook and the photographs existing on the public portion of the plaintiff’s profile made it reasonable to conclude that the private portion of the profile would also contain photographs.

The Superior Court in the immediate case agreed with the Court in Murphy that the presence of content on a party’s publicly-accessible profile would allow for the inference that similar content exists on the private portion of a profile. Taking it one step further, however, the Court found that even in cases where there is no publicly-accessible profile,

a court can infer from the social networking purpose of Facebook, and the applications it offers to users such as the posting of photographs, that users intend to take advantage of Facebook’s applications to make personal information available to others.

The Court disagreed with the categorization of the defendant’s request as a “fishing expedition” even though there existed no evidence of relevant content beyond the mere existence of the plaintiff’s Facebook profile. While the Court disagreed that production should extend to all material on such a profile, the Court found that a party that discovers a profile following examination for discovery “should enjoy some opportunity to ascertain and test whether the Facebook profile contains content relevant to any matter in issue in an action.” This would include requiring the preservation and printing out of posted material, the swearing of a supplementary affidavit of documents identifying relevant Facebook documents and where few or no documents are disclosed, permitting a cross-examination of documents. Ultimately, therefore, the Court allowed the appeal and granted leave to the defendant to cross-examine the plaintiff on his supplementary affidavit of documents with respect to the nature of material on his Facebook profile.

Of particular note to counsel, the Court found that

[g]iven the pervasive use of Facebook and the large volume of photographs typically posted on Facebook sites, it is now incumbent on a party’s counsel to explain to the client, in appropriate cases, that documents posted on the party’s Facebook profile may be relevant to allegations made in the pleadings.

While the court’s findings would obviously apply to other similar social networking sites, it is unclear whether they would extend beyond such websites. For example blogs have traditionally been more focused on the exchange of ideas rather than the sharing of photographs and it is questionable whether the existence of a private blog would lead to the inference that relevant material existed on the site.