Teresa Scassa - Blog

 

The Federal Court has released a decision in a case that raises important issues about transparency and accountability under Canada’s private sector privacy legislation.

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy with respect to the collection, use and disclosure of personal information by private sector organizations. Under PIPEDA, individuals have the right to access their personal information in the hands of private sector organizations. The right of access allows individuals to see what information organizations have collected about them. It is accompanied by a right to have incorrect information rectified. In our datified society, organizations make more and more decisions about individuals based upon often complex profiles built with personal information from a broad range of sources. The right of access allows individuals to see whether organizations have exceeded the limits of the law in collecting and retaining personal information; it also allows them the opportunity to correct errors that might adversely impact decision-making about them. Unfortunately, our datified society also makes organizations much more likely to insist that the data and algorithms used to make decisions or generate profiles, along with the profiles themselves, are all confidential business information and thus exempt from the right of access. This is precisely what is at issue in Bertucci v. Royal Bank of Canada.

The dispute in this case arose after the Bertuccis – a father and son who had banked with RBC for 35 and 20 years respectively, and who also held business accounts with the bank – were told by RBC that the bank would be closing their accounts. The reason given for the account closure was that the bank was no longer comfortable doing business with them. Shortly after this, the Bertuccis made a request, consistent with their right of access under PIPEDA, to be provided with all of their personal information in the hands of RBC, including information as to why their bank accounts were closed. RBC promptly denied the request, stating that it had already provided its reason for closing the accounts and asserting that it had a right under its customer contracts to unilaterally close accounts without notice. It also indicated that it had received no personal information from third parties about the Bertuccis and that all of the information that they sought was confidential commercial information.

RBC relied upon paragraph 9(3)(b) of PIPEDA, which essentially allows an organization to refuse to provide access to personal information where “to do so would reveal confidential commercial information”. On receiving RBC’s refusal to provide access, the Bertuccis complained to the Office of the Privacy Commissioner. The OPC investigated the complaint and ultimately sided with RBC, finding that it was justified in withholding the information. In reaching this conclusion, the OPCC relied in part on an earlier Finding of the Privacy Commissioner which I have previously critiqued, precisely because of its potential implications for transparency and accountability in the evolving big data context.

In reaching it conclusion on the application of paragraph 9(3)(b) of PIPEDA, the OPC apparently accepted that the information at issue was confidential business information, noting that it was “treated as confidential by RBC, including information about the bank’s internal methods for assessing business-related risks.” (At para 10)

After having their complaint declared unfounded by the OPC, the applicants took the issue to the Federal Court. Justice Martineau framed the key question before the court in these terms: “Can RBC refuse to provide access to undisclosed personal information it has collected about the applicants on the grounds that its disclosure in this case would reveal confidential commercial information” (at para 16)

RBC’s position was that it was not required to justify why it might close an account. It argued that if it is forced to disclose personal information about a decision to close an account, then it is effectively stripped of its prerogative to not provide reasons. It also argued that any information that it relied upon in its risk assessment process would constitute confidential business information. This would be so even if the information were publicly available (as in the case of a newspaper article about the account holder). The fact that the newspaper article was relied upon in decision-making would be what constituted confidential information – providing access to that article would de facto disclose that information.

The argument put forward by RBC is similar to the one accepted by the OPC in its earlier (2002) decision which was relied upon by the bank and which I have previously criticized here. It is an argument that, if accepted, would bode very ill for the right of access to personal information in our big data environment. Information may be compiled from all manner of sources and used to create profiles that are relied upon in decision-making. To simply accept that information used in this way is confidential business information because it might reveal how the company reaches decisions slams shut the door on the right of access and renders corporate decision-making about individuals, based upon the vast stores of collected personal information, essentially non-transparent.

The Bertuccis argued that PIPEDA – which the courts have previously found to have a quasi-constitutional status in protecting individual privacy – makes the right of access to one’s personal information the rule. An exception to this rule would have to be construed narrowly. The applicants wanted to know what information led to the closure of their accounts and sought as well to exercise their right to have this information corrected if it was inaccurate. They were concerned that the maintenance on file of inaccurate information by RBC might continue to haunt them in the future. They also argued that RBC’s approach created a two-tiered system for access to personal information. Information that could be accessed by customers whose accounts were not terminated would suddenly become confidential information once those accounts were closed, simply because it was used in making that decision. They argued that the bank should not be allowed to use exceptions to the access requirement to shelter itself from embarrassment at having been found to have relied upon faulty or inadequate information.

Given how readily the OPC – the guardian of Canadians’ personal information in the hands of private sector organizations – accepted RBC’s characterization of this information as confidential, Justice Martineau’s decision is encouraging. He largely agreed with the position of the applicants, finding that the exceptions to the right to access to one’s personal information must be construed narrowly. Significantly, Justice Martineau found that courts cannot simply defer to a bank’s assertion that certain information is confidential commercial information. He placed an onus on RBC to justify why each withheld document was considered confidential. He noted that in some circumstances it will be possible to redact portions of reports, documents or data that are confidential while still providing access to the remainder of the information. In this case, Justice Martineau was not satisfied that the withheld information met the standard for confidential commercial information, nor was he convinced that some of it could not have been provided in redacted form.

Reviewing the documents at issue, Justice Martineau began by finding that a list of the documents relied upon by the bank in reaching its decision was not confidential information, subject to certain redactions. He noted as well that much of what was being withheld by the bank was “raw data”. He distinguished the raw data from the credit scoring model that was found to be confidential information in the 2002 OPC Finding mentioned above. He noted as well that the raw data was not confidential information and had not, when it was created, been treated as confidential information by the bank. He also noted that the standard for withholding information on an access request was very high.

Justice Martineau gave RBC 45 days to provide the applicants with all but a few of the documents which the court agreed could be withheld as confidential commercial information. Although the applicants had sought compensatory and punitive damages, he found that it was not an appropriate case in which to award damages.

Given the importance of this decision in the much broader big data and business information context, RBC is likely to appeal it to the Federal Court of Appeal. If so, it will certainly be an important case to watch. The issues it raises are crucial to the future of transparency and accountability of corporations with respect to their use of personal information. In light of the unwillingness of the OPC to stand up to the bank both in this case and in earlier cases regarding assertions of confidential commercial information, Justice Martineau’s approach is encouraging. There is a great deal at stake here, and this case will be well worth watching if it is appealed.

 

 

 

 

Published in Privacy

Citizen science is the name given to a kind of crowd-sourced public participatory scientific research in which professional researchers benefit from the distributed input of members of the public. Citizen science projects may include community-based research (such as testing air or water quality over a period of time), or may involve the public in identifying objects from satellite images or videos, observing and recording data, or even transcribing hand written notes or records from previous centuries. Some well-known citizen science projects include eBird, Eyewire, FoldIt, Notes from Nature, and Galaxy Zoo. Zooniverse offers a portal to a vast array of different citizen science projects. The range and quantity of citizen science experiences that are now available to interested members of the public are a testament both to the curiosity and engagement of volunteers as well as to the technologies that now enable this massive and distributed engagement.

Scientific research of all kinds – whether conventional or involving public participation – leads inevitably to the generation of intellectual property (IP). This may be in the form of patentable inventions, confidential information or copyright protected works. Intellectual property rights are relevant to the commercialization, exploitation, publication and sharing of research. They are important to the researchers, their employers, their funders, and to the research community. To a growing extent, they are of interest to the broader public – particularly where that public has been engaged in the research through citizen science.

What IP rights may arise in citizen science, how they do so, and in what circumstances, are all issues dealt with by myself and co-author Haewon Chung in a paper released in December 2015 by the Commons Lab of the Wilson Center for International Scholars in Washington, D.C. Titled Best Practices for Managing Intellectual Property Rights in Citizen Science, this paper is a guide for both citizen science researchers and participants. It covers topics such as the reasons why IP rights should be taken into account in citizen science, the types of rights that are relevant, how they might arise, and how they can be managed. We provide an explanation of licensing, giving specific examples and even parse license terms. The paper concludes with a discussion of best practices for researchers and a checklist for citizen science participants.

Our goal in preparing this report was to raise awareness of IP issues, and to help researchers think through IP issues in the design of their projects so that they can achieve their objectives without unpleasant surprises down the road. These unpleasant surprises might include realizing too late that the necessary rights to publish photographs or other materials contributed by participants have not been obtained; that commitments to project funders preclude the anticipated sharing of research results with participants; or that the name chosen for a highly successful project infringes the trademark rights of others. We also raise issues from participant perspectives: What is the difference between a transfer of IP rights in contributed photos or video and a non-exclusive license with respect to the same material? Should participants expect that research data and related publications will be made available under open licenses in exchange for their participation? When and how are participant contributions to be acknowledged in any research outputs of the project?

In addition to these issues, we consider the diverse IP interests that may be at play in citizen science projects, including those of researchers, their institutions, funders, participants, third party platform hosts, and the broader public. As citizen science grows in popularity, and as the scope, type and variety of projects also expands, so too will the IP issues. We hope that our research will contribute to a greater understanding of these issues and to the complex array of relationships in which they arise.

Note: This research paper was funded by the Commons Lab of the Wilson Center and builds upon our earlier shorter paper: Typology of Citizen Science Projects from an Intellectual Property Perspective: Invention and Authorship Between Researchers and Participants. Both papers are published under a Creative Commons Licence.

 

Published in Copyright Law

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law