Teresa Scassa - Blog

Displaying items by tag: data protection

The post is the second in a series that looks at the recommendations contained in the report on the Personal Information Protection and Electronic Documents Act (PIPEDA) issued by the House of Commons Standing Committee on Access to Information and Privacy Ethics (ETHI). My first post considered ETHI’s recommendation to retain consent at the heart of PIPEDA with some enhancements. At the same time, ETHI recommended some new exceptions to consent. This post looks at one of these – the exception relating to publicly available information.

Although individual consent is at the heart of the PIPEDA model – and ETHI would keep it there – the growing number of exceptions to consent in PIPEDA is reason for concern. In fact, the last round of amendments to PIPEDA in the 2015 Digital Privacy Act, saw the addition of ten new exceptions to consent. While some of these were relatively uncontroversial (e.g. making it clear that consent was not needed to communicate with the next of kin of an injured, ill or deceased person) others were much more substantial in nature. In its 2018 report ETHI has made several recommendations that continue this trend – creating new contexts in which individual consent will no longer be required for the collection, use or disclosure of personal information. In this post, I focus on one of these – the recommendation that the exception to consent for the use of “publicly available information” be dramatically expanded to include content shared by individuals on social media. In light of the recent Facebook/Cambridge Analytica scandal, this recommended change deserves some serious resistance.

PIPEDA already contains a carefully limited exception to consent to the collection, use or disclosure of personal information where it is “publicly available” as defined in the Regulations Specifying Publicly Available Information. These regulations identify five narrowly construed categories of publicly available information. The first is telephone directory information (but only where the subscriber has the option to opt out of being included in the directory). The second is name and contact information that is included in a professional business directory listing that is available to the public; nevertheless, such information can only be collected, used or disclosed without consent where it relates “directly to the purpose for which the information appears in the registry” (i.e. contacting the individual for business purposes). There is a similar exception for information in a public registry established by law (for example, a land titles registry); this information can similarly only be collected, used or disclosed for purposes related to those for which it appears in the record or document. Thus, consent is not required to collect land registry information for the purposes of concluding a real estate transaction. However, it is not permitted to extract personal information from such a registry, without consent, to use for marketing. A fourth category of publicly available personal information is information appearing in court or tribunal records or documents. This respects the open courts principle, but the exception is limited to collection, use or disclosure that relates directly to the purpose for which the information appears in the record or document. This means that online repositories of court and tribunal decisions cannot be mined for personal information; however, personal information can be used without consent to further the open courts principle (for example, a reporter gathering information to use in a newspaper story).

This brings us to the fifth category of publicly available information – the one ETHI would explode to include vast quantities of personal information. Currently, this category reads:

e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

ETHI’s recommendation is to make this “technologically neutral” by having it include content shared by individuals over social media. According to ETHI, a “number of witnesses considered this provision to be “obsolete.” (at p. 27) Perhaps not surprisingly, these witnesses represented organizations and associations whose members would love to have unrestricted access to the contents of Canadians’ social media feeds and pages. The Privacy Commissioner was less impressed with the arguments for change. He stated: “we caution against the common misconception that simply because personal information happens to be generally accessible online, there is no privacy interest attached to it.” (at p. 28) The Commissioner recommended careful study with a view to balancing “fundamental individual and societal rights.” This cautious approach seems to have been ignored. The scope of ETHI’s proposed change is particularly disturbing given the very carefully constrained exceptions that currently exist for publicly available information. A review of the Regulations should tell any reader that this was always intended to be a very narrow exception with tightly drawn boundaries; it was never meant to create a free-for-all open season on the personal information of Canadians.

The Cambridge Analytica scandal reveals the harms that can flow from unrestrained access to the sensitive and wide-ranging types and volumes of personal information that are found on social media sites. Yet even as that scandal unfolds, it is important to note that everyone (including Facebook) seems to agree that user consent was both required and abused. What ETHI recommends is an exception that would obviate the need for consent to the collection, use and disclosure of the personal information of Canadians shared on social media platforms. This could not be more unwelcome and inappropriate.

Counsel for the Canadian Life and Health Insurance Association, in addressing ETHI, indicated that the current exception “no longer reflects reality or the expectations of the individuals it is intended to protect.” (at p. 27) A number of industry representatives also spoke of the need to make the exception “technologically neutral”, a line that ETHI clearly bought when it repeated this catch phrase in its recommendation. The facile rhetoric of technological neutrality should always be approached with enormous caution. The ‘old tech’ of books and magazines involved: a) relatively little exposure of personal information; b) carefully mediated exposure (through editorial review, fact-checking, ethical policies, etc.); c) and time and space limitations that tended to focus publication on the public interest. Social media is something completely different. It is a means of peer-to-peer communication and interaction which is entirely different in character and purpose from a magazine or newspaper. To treat it as the digital equivalent is not technological neutrality, it is technological nonsensicality.

It is important to remember that while the exception to consent for publicly available information exists in PIPEDA; the definition of its parameters is found in a regulation. Amendments to legislation require a long and public process; however, changes to regulations can happen much more quickly and with less room for public input. This recommendation by ETHI is therefore doubly disturbing – it could have a dramatic impact on the privacy rights of Canadians, and could do so more quickly and quietly than through the regular legislative process. The Privacy Commissioner was entirely correct in stating that there should be no change to these regulations without careful consideration and a balancing of interests, and perhaps no change at all.

Published in Privacy

The recent scandal regarding the harvesting and use of the personal information of millions of Facebook users in order to direct content towards them aimed at influence their voting behavior raises some interesting questions about the robustness of our data protection frameworks. In this case, a UK-based professor collected personal information via an app, ostensibly for non-commercial research purposes. In doing so he was bound by terms of service with Facebook. The data collection was in the form of an online quiz. Participants were paid to answer a series of questions, and in this sense they consented to and were compensated for the collection of this personal information. However, their consent was to the use of this information only for non-commercial academic research. In addition, the app was able to harvest personal information from the Facebook friends of the study participants – something which took place without the knowledge or consent of those individuals. The professor later sold his app and his data to Cambridge Analytica, which used it to target individuals with propaganda aimed at influencing their vote in the 2016 US Presidential Election.

A first issue raised by this case is a tip-of-the-iceberg issue. Social media platforms – not just Facebook – collect significant amounts of very rich data about users. They have a number of strategies for commercializing these treasure troves of data, including providing access to the platform to app developers or providing APIs on a commercial basis that give access to streams of user data. Users typically consent to some secondary uses of their personal information under the platform’s terms of service (TOS). Social media platform companies also have TOS that set the terms and conditions under which developers or API users can obtain access to the platform and/or its data. What the Cambridge Analytica case reveals is what may (or may not) happen when a developer breaches these TOS.

Because developer TOS are a contract between the platform and the developer, a major problem is the lack of transparency and the grey areas around enforcement. I have written about this elsewhere in the context of another ugly case involving social media platform data – the Geofeedia scandal (see my short blog post here, full article here). In that case, a company under contract with Twitter and other platforms misused the data it contracted for by transforming it into data analytics for police services that allowed police to target protesters against police killings of African American men. This was a breach of contractual terms between Twitter and the developer. It came to public awareness only because of the work of a third party (in that case, the ACLU of California). In the case of Cambridge Analytica, the story also only came to light because of a whistleblower (albeit one who had been involved with the company’s activities). In either instance it is important to ask whether, absent third party disclosure, the situation would ever have come to light. Given that social media companies provide, on a commercial basis, access to vast amounts of personal information, it is important to ask what, if any, proactive measures they take to ensure that developers comply with their TOS. Does enforcement only take place when there is a public relations disaster? If so, what other unauthorized exploitations of personal information are occurring without our knowledge or awareness? And should platform companies that are sources of huge amounts of personal information be held to a higher standard of responsibility when it comes to their commercial dealing with this personal information?

Different countries have different data protection laws, so in this instance I will focus on Canadian law, to the extent that it applies. Indeed, the federal Privacy Commissioner has announced that he is looking into Facebook’s conduct in this case. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), a company is responsible for the personal information it collects. If it shares those data with another company, it is responsible for ensuring proper limitations and safeguards are in place so that any use or disclosure is consistent with the originating company’s privacy policy. This is known as the accountability principle. Clearly, in this case, if the data of Canadians was involved, Facebook would have some responsibility under PIPEDA. What is less clear is how far this responsibility extents. Clause 4.1.3 of Schedule I to PIPEDA reads: “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.” [My emphasis]. One question, therefore, is whether it is enough for Facebook to simply have in place a contract that requires its developers to respect privacy laws, or whether Facebook’s responsibility goes further. Note that in this case Facebook appears to have directed Cambridge Analytica to destroy all improperly collected data. And it appears to have cut Cambridge Analytica off from further access to its data. Do these steps satisfy Facebook’s obligations under PIPEDA? It is not at all clear that PIPEDA places any responsibilities on organizations to actively supervise or monitor companies with which it has shared data under contract. It is fair to ask, therefore, whether in cases where social media platforms share huge volumes of personal data with developers, is the data-sharing framework in PIPEDA sufficient to protect the privacy interests of the public.

Another interesting question arising from the scandal is whether what took place amounts to a data breach. Facebook has claimed that it was not a data breach – from their perspective, this is a case of a developer that broke its contract with Facebook. It is easy to see why Facebook would want to characterize the incident in this way. Data breaches can bring down a whole other level of enforcement, and can also give rise to liability in class action law suits for failure to properly protect the information. In Canada, new data breach notification provisions (which have still not come into effect under PIPEDA) would impose notification requirements on an organization that experienced a breach. It is interesting to note, though, that he data breach notification requirements are triggered where there is a “real risk of significant harm to an individual” [my emphasis]. Given what has taken place in the Cambridge Analytical scandal, it is worth asking whether the drafters of this provision should have included a real risk of significant harm to the broader public. In this case, the personal information was used to subvert democratic processes, something that is a public rather than an individual harm.

The point about public harm is an important one. In both the Geofeedia and the Cambridge Analytica scandals, the exploitation of personal information was on such a scale and for such purposes that although individual privacy may have been compromised, the greater harms were to the public good. Our data protection model is based upon consent, and places the individual and his or her choices at its core. Increasingly, however, protecting privacy serves goals that go well beyond the interests of any one individual. Not only is the consent model broken in an era of ubiquitous and continuous collection of data, it is inadequate to address the harms that come from improper exploitation of personal information in our big data environment.

Published in Privacy

In February 2018 the Standing Committee on Access to Information, Privacy and Ethics (ETHI) issued its report based on its hearings into the state of Canada’s Personal Information Protection and Electronic Documents Act. The Committee hearings were welcomed by many in Canada’s privacy community who felt that PIPEDA had become obsolete and unworkable as a means of protecting the personal information of Canadians in the hands of the private sector. The report, titled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act seems to come to much the same conclusion. ETHI ultimately makes recommendations for a number of changes to PIPEDA, some of which could be quite significant.

This blog post is the first in a series that looks at the ETHI Report and its recommendations. It addresses the issue of consent.

The enactment of PIPEDA in 2001 introduced a consent-based model for the protection of personal information in the hands of the private sector in Canada. The model has at its core a series of fair information principles that are meant to guide businesses in shaping their collection, use and disclosure of personal information. Consent is a core principle; other principles support consent by ensuring that individuals have adequate and timely notice of the collection of personal information and are informed of the purposes of collection.

Unfortunately, the principle of consent has been drastically undermined by advances in technology and by a dramatic increase in the commercial value of personal information. In many cases, personal information is now actual currency and not just the by-product of transactions, changing the very fundamentals of the consent paradigm. In the digital environment, the collection of personal information is also carried out continually. Not only is personal information collected with every digital interaction, it is collected even while people are not specifically interacting with organizations. For example, mobile phones and their myriad apps collect and transmit personal information even while not in use. Increasingly networked and interconnected appliances, entertainment systems, digital assistants and even children’s toys collect and communicate steady streams of data to businesses and their affiliates.

These developments have made individual consent somewhat of a joke. There are simply too many collection points and too many privacy policies for consumers to read. Most of these policies are incomprehensible to ordinary individuals; many are entirely too vague when it comes to information use and sharing; and individuals can easily lose sight of consents given months or years previously to apps or devices that are largely forgotten but that nevertheless continuing to harvest personal information in the background. Managing consent in this environment is beyond the reach of most. To add insult to injury, the resignation felt by consumers without meaningful options for consent is often interpreted as a lack of interest in privacy. As new uses (and new markets) for personal information continue to evolve, it is clear that the old model of consent is no longer adequate to serve the important privacy interests of individuals.

The ETHI Report acknowledges the challenges faced by the consent model; it heard from many witnesses who identified problems with consent and many who proposed different models or solutions. Ultimately, however, ETHI concludes that “rather than overhauling the consent model, it would be best to make minor adjustments and let the stakeholders – the Office of the Privacy Commissioner (OPC), businesses, government, etc. – adapt their practices in order to maintain and enhance meaningful consent.”(at p. 20)

The fact that the list of stakeholders does not include the public – those whose personal information and privacy are at stake – is telling. It signals ambivalence about the importance of privacy within the PIPEDA framework. In spite of being an interest hailed by the Supreme Court of Canada as quasi-constitutional in nature, privacy is still not approached by Parliament as a human right. The prevailing legislative view seems to be that PIPEDA is meant to facilitate the exchange of personal information with the private sector; privacy is protected to the extent that it is necessary to support public confidence in such exchanges. The current notion of consent places a significant burden on individuals to manage their own privacy and, by extension, places any blame for oversharing on poor choices. It is a cynically neo-liberal model of regulation in which the individual ultimately must assume responsibility for their actions notwithstanding the fact that the deck has been so completely and utterly stacked against them.

The OPC recently issued a report on consent which also recommended the retention of consent as a core principle, but recognized the need to take concrete steps to maintain its integrity. The OPC recommendations included using technological tools, developing more accessible privacy policies, adjusting the level of consent required to the risk of harm, creating no-go zones for the use of personal information, and enhancing privacy protection for children. ETHI’s rather soft recommendations on consent may be premised on an understanding that much of this work will go ahead without legislative change.

Among the minor adjustments to consent recommended by ETHI is that PIPEDA be amended to make opt-in consent the default for any use of personal information for secondary purposes. This means that while there might be opt-out consent for the basic services for which a consumer is contracting (in other words, if you provide your name and address for the delivery of an item, it can be assumed you are consenting to the use of the information for that purpose), consumers must agree to the collection, use or disclosure of their personal information for secondary or collateral purposes. ETHI’s recommendation also indicates that opt-in consent might eventually become the norm in all circumstances. Such a change may have some benefits. Opt out consent is invidious. Think of social media platform default settings that enable a high level of personal information sharing, leaving consumers to find and adjust these settings if they want greater protection for their privacy. An opt-in consent requirement might be particularly helpful in addressing such problems. Nevertheless, it will not be much use in the context of long, complex (and largely unread) privacy policies. Many such policies ask consumers to consent to a broad range of uses and disclosures of personal information, including secondary purposes described in the broadest of terms. A shift to opt-in consent will not help if agreeing to a standard set of unread terms amounts to opting-in.

ETHI also considered whether and how individuals should be able to revoke their consent to the collection, use or disclosure of their personal information. The issues are complex. ETHI gave the example of social media, where information shared by an individual might be further disseminated by many others, making it challenging to give effect to a revocation of consent. ETHI recommends that the government “study the issue of revocation of consent in order to clarify the form of revocation required and its legal and practical implications”.

ETHI also recommended that the government consider specific rules around consent for minors, as well as the collection, use and disclosure of their personal information. Kids use a wide range of technologies, but may be particularly vulnerable because of a limited awareness of their rights and recourses, as well as of the long-term impacts of personal information improvidently shared in their youth. The issues are complex and worthy of further study. It is important to note, however, that requiring parental consent is not an adequate solution if the basic framework for consent is not addressed. Parents themselves may struggle to understand the technologies and their implications and may be already overwhelmed by multiple long and complex privacy policies. The second part of the ETHI recommendation which speaks to specific rules around the collection, use and disclosure of the personal information of minors may be more helpful in addressing some of the challenges in this area. Just as we have banned some forms of advertising directed at children, we might also choose to ban some kinds of collection or uses of children’s personal information.

In terms of enhancing consent, these recommendations are thin on detail and do not provide a great deal of direction. They seem to be informed by a belief that a variety of initiatives to enhance consent through improved privacy policies (including technologically enhanced policies) may suffice. They are also influenced by concerns expressed by business about the importance of maintaining the ‘flexibility’ of the current regime. While there is much that is interesting elsewhere within the ETHI report, the discussion of consent feels incomplete and disappointing. Minor adjustments will not make a major difference.

Up next: One of the features of PIPEDA that has proven particularly challenging when it comes to consent is the ever-growing list of exceptions to the consent requirement. In my next post I will consider ETHI’s recommendations that would add to that list, and that also address ‘alternatives’ to consent.

Published in Privacy

The Office of the Privacy Commissioner of Canada has released its Draft Position on Online Reputation. It’s an important issue and one that is of great concern to many Canadians. In the Report, the OPC makes recommendations for legislative change and proposes other measures (education, for example) to better protect online reputation. However, the report has also generated considerable controversy for the position it has taken on how the Personal Information Protection and Electronic Documents Act currently applies in this context. In this post I will focus on the Commissioner’s expressed view that PIPEDA applies to search engine activities in a way that would allow Canadians to request the de-indexing of personal information from search engines, with the potential to complain to the Commissioner if these demands are not met.

PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity. The Commissioner reasons, in this report, that search engines are engaged in commercial activity, even if search functions are free to consumers. An example is the placement of ads in search results. According to the Commissioner, because search engines can provide search results that contain (or lead to) personal information, these search engines are collecting, using and disclosing personal information in the course of commercial activity.

With all due respect, this view seems inconsistent with current case law. In 2010, the Federal Court in State Farm Mutual Automobile Insurance Co. v. Canada (Privacy Commissioner) ruled that an insurance company that collected personal information on behalf of an individual it was representing in a law suit was not collecting that information in the course of commercial activity. This was notwithstanding the fact that the insurance company was a commercial business. The Court was of the view that, at essence, the information was being collected on behalf of a private person (the defendant) so that he could defend a legal action (a private and non-commercial matter to which PIPEDA did not apply). Quite tellingly, at para 106, the court stated: “if the primary activity or conduct at hand, in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action, is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf.”

The same reasoning applies to search engines. Yes, Google makes a lot of money, some of which comes from its search engine functions. However, the search engines are there for anyone to use, and the relevant activities, for the purposes of the application of PIPEDA, are those of the users. If a private individual carries out a Google search for his or her own purposes, that activity does not amount to the collection of personal information in the course of commercial activity. If a company does so for its commercial purposes, then that company – and not Google – will have to answer under PIPEDA for the collection, use or disclosure of that personal information. The view that Google is on the hook for all searches is not tenable. It is also problematic for the reasons set out by my colleague Michael Geist in his recent post.

I also note with some concern the way in which the “journalistic purposes” exception is treated in the Commissioner’s report. This exception is one of several designed to balance privacy with freedom of expression interests. In this context, the argument is that a search engine facilitates access to information, and is a tool used by anyone carrying out online research. This is true, and for the reasons set out above, PIPEDA does not apply unless that research is carried out in the course of commercial activities to which the statute would apply. Nevertheless, in discussing the exception, the Commissioner states:

Some have argued that search engines are nevertheless exempt from PIPEDA because they serve a journalistic or literary function. However, search engines do not distinguish between journalistic/literary material. They return content in search results regardless of whether it is journalistic or literary in nature. We are therefore not convinced that search engines are acting for “journalistic” or “literary” purposes, or at least not exclusively for such purposes as required by paragraph 4(2)(c).

What troubles me here is the statement that “search engines do not distinguish between journalistic and literary material”. They don’t need to. The nature of what is sought is not the issue. The issue is the purpose. If an individual uses Google in the course of non-commercial activity, PIPEDA does not apply. If a journalist uses Google for journalistic purposes, PIPEDA does not apply. The nature of the content that is searched is immaterial. The quote goes on to talk about whether search engines act for journalistic or literary purposes – that too is not the point. Search engines are tools. They are used by actors. It is the purposes of those actors that are material, and it is to those actors that PIPEDA will apply – if they are collecting, using or disclosing personal information in the course of commercial activity.

The Report is open for comment until April 19, 2018.

Published in Privacy

Canada’s Federal Court of Appeal has handed down a decision that addresses important issues regarding control over commercially valuable data. The decision results from an appeal of an earlier ruling of the Competition Tribunal regarding the ability of the Toronto Real Estate Board (TREB) to limit the uses to which its compilation of current and historical property listings in the Greater Toronto Area (GTA) can be put.

Through its operations, the TREB compiles a vast database of real estate listings. Information is added to the database on an ongoing basis by real estate brokers who contribute data each time a property is listed with them. Real estate agents who are members of TREB in turn receive access to a subset of this data via an electronic feed. They are permitted to make this data available through their individual websites. However, the TREB does not permit all of its data to be shared through this feed; some data is available only through other means such as in-person consultation, or communications of snippets of data via email or fax.

The dispute arose after the Competition Commissioner applied to the Competition Tribunal for a ruling as to whether the limits imposed by the TREB on the data available through the electronic feed inhibited the ability of “virtual office websites” (VOWs) to compete with more conventional real estate brokerages. The tribunal ruled that they did, and the matter was appealed to the Federal Court of Appeal. Although the primary focus of the Court’s decision was on the competition issues, it also addressed questions of privacy and copyright law.

The Federal Court of Appeal found that the TREB’s practices of restricting available data – including information on the selling price of homes – had anticompetitive effects that limited the range of broker services that were available in the GTA, limited innovation, and had an adverse impact on entry into and expansion of relevant markets. This aspect of the decision highlights how controlling key data in a sector of the economy can amount to anti-competitive behavior. Data are often valuable commercial assets; too much exclusivity over data may, however, pose problems. Understanding the limits of control over data is therefore an important and challenging issue for businesses and regulators alike.

The TREB had argued that one of the reasons why it could not provide certain data through its digital feed was because these data were personal information and it had obligations under the Personal Information Protection and Electronic Documents Act to not disclose this information without appropriate consent. The TREB relied on a finding of the Office of the Privacy Commissioner of Canada that the selling price of a home (among those data held back by TREB) was personal information because it could lead to inferences about the individual who sold the house (e.g.: their negotiating skills, the pressure on them to sell, etc.). The Court noted that the TREB already shared the information it collected with its members. Information that was not made available through the digital feed was still available through more conventional methods. In fact, the Court noted that the information was very widely shared. It ruled that the consent provided by individuals to this sharing of information would apply to the sharing of the same information through a digital feed. It stated: “PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods. The introduction of VOWs is not a new purpose – the purpose remains to provide residential real estate services [. . .].” (at para 165) The Court’s decision was influenced by the fact that the consent form was very broadly worded. Through it, TREB obtained consent to the use and dissemination of the data “during the term of the listing and thereafter.” This conclusion is interesting, as many have argued that the privacy impacts are different depending on how information is shared or disseminated. In other words, it could have a significant impact on privacy if information that is originally shared only on request, is later published on the Internet. Consent to disclosure of the information using one medium might not translate into consent to a much broader disclosure. However, the Court’s decision should be read in the context of both the very broad terms of the consent form and the very significant level of disclosure that was already taking place. The court’s statement that “PIPEDA only requires new consent where information is used for a new purpose, not where it is distributed via new methods” should not be taken to mean that new methods of distribution do not necessarily reflect new purposes that go beyond the original consent.

The Federal Court of Appeal also took note of the Supreme Court of Canada’s recent decision in Royal Bank of Canada v. Trang. In the course of deciding whether to find implied consent to a disclosure of personal information, the Supreme Court of Canada had ruled that while the balance owing on a mortgage was personal information, it was less sensitive than other financial information because the original amount of the mortgage, the rate of interest and the due date for the mortgage were all publicly available information from which an estimate of the amount owing could be derived. The Federal Court of Appeal found that the selling price of a home was similarly capable of being derived from other publicly available data sources and was thus not particularly sensitive personal information.

In addition to finding that there would be no breach of PIPEDA, the Federal Court of Appeal seemed to accept the Tribunal’s view that the TREB was using PIPEDA in an attempt to avoid wider sharing of its data, not because of concerns for privacy, but in order to maintain its control over the data. It found that TREBs conduct was “consistent with the conclusion that it considered the consents were sufficiently specific to be compliant with PIPEDA in the electronic distribution of the disputed data on a VOW, and that it drew no distinction between the means of distribution.” (at para 171)

Finally, the Competition Tribunal had ruled that the TREB did not have copyright in its compilation of data because the compilation lacked sufficient originality in the selection or arrangement of the underlying data. Copyright in a compilation depends upon this originality in selection or arrangement because facts themselves are in the public domain. The Federal Court of Appeal declined to decide the copyright issue since the finding that the VOW policy was anti-competitive meant that copyright could not be relied upon as a defence. Nevertheless, it addressed the copyright question in obiter (meaning that its comments are merely opinion and not binding precedent).

The Federal Court of Appeal noted that the issue of whether there is copyright in a compilation of facts is a “highly contextual and factual determination” (at para 186). The Court of Appeal took note of the Tribunal’s findings that “TREB’s specific compilation of data from real estate listings amounts to a mechanical exercise” (at para 194), and agreed that the threshold for originality was not met. The Federal Court of Appeal dismissed the relevance of TREB’s arguments about the ways in which its database was used, noting that “how a “work” is used casts little light on the question of originality.” (at para 195) The Court also found no relevance to the claims made in TREB’s contracts to copyright in its database. Claiming copyright is one thing, establishing it in law is quite another.

 

Note that leave to appeal this decision to the Supreme Court of Canada was denied on August 23, 2018.

 

Published in Copyright Law

In R. v. Orlandis-Habsburgo the Ontario Court of Appeal revisited the Supreme Court of Canada decisions in R. v. Spencer, R. v. Gomboc, and R. v. Plant. The case involved the routine sharing of energy consumption data between an electricity provider and the police. Horizon Utilities Corp. (Horizon) had a practice of regularly reviewing its customers’ energy consumption records, including monthly consumption figures as well as patterns of consumption throughout the day. When Horizon encountered data suggestive of marijuana grow operations, they would send it to the police. This is what occurred in Orlandis-Habsburgo. The police responded by requesting and obtaining additional information from Horizon. They then conducted observations of the accused’s premises. The police used a combination of data provided by Horizon and their own observation data to obtain a search warrant which ultimately led to charges against the accused, who were convicted at trial.

The defendants appealed their convictions, arguing that their rights under s. 8 of the Canadian Charter of Rights and Freedoms had been infringed when the police obtained data from Horizon without a warrant. The trial judge had dismissed these arguments, finding that the data were not part of the “biographical core” of the defendants’ personal information, and that they therefore had no reasonable expectation of privacy in them. Further, he ruled that given the constellation of applicable laws and regulations, as well as Horizon’s terms of service, it was reasonable for Horizon to share the data with the police. The Court of Appeal disagreed, finding that the appellants’ Charter rights had been infringed. The decision is interesting because of its careful reading of the rather problematic decision of the Supreme Court of Canada in Gomboc. Nevertheless, although the decision creates important space for privacy rights in the face of ubiquitous data collection and close collaboration between utility companies and the police, the Court of Appeal’s approach is highly contextual and fact-dependent.

A crucial fact in this case is that the police and Horizon had an ongoing relationship when it came to the sharing of customer data. Horizon regularly provided data to the police, sometimes on its own initiative and sometimes at the request of the police. It provided data about suspect residences as well as data about other customers for comparison purposes. Writing for the unanimous court, Justice Doherty noted that until the proceedings in this case commenced, Horizon had never refused a request from the police for information. He found that this established that the police and Horizon were working in tandem; this was important, since it distinguished the situation from one where a company or whistleblower took specific data to the police with concerns that it revealed a crime had been committed.

The Court began its Charter analysis by considering whether the appellants had a reasonable expectation of privacy in the energy consumption data. The earlier Supreme Court of Canada decisions in Plant and Gomboc both dealt with data obtained by police from utility companies without a warrant. In Plant, the Court had found that the data revealed almost nothing about the lifestyle or activities of the accused, leading to the conclusion that there was no reasonable expectation of privacy. In Gomboc, the Court was divided and issued three separate opinions. This led to some dispute as to whether there was a reasonable expectation of privacy in the data. In Orlandis-Habsburgo, the Crown argued that seven out of nine judges in Gomboc had concluded that there was no reasonable expectation of privacy in electricity consumption data. By contrast, the appellants argued that five of the nine judges in Gomboc had found that there was a reasonable expectation of privacy in such data. The trial judge had sided with the Crown, but the Court of Appeal found otherwise. Justice Doherty noted that all of the judges in Gomboc considered the same factors in assessing the reasonable expectation of privacy: “the nature of the information obtained by the police, the place from which the information was obtained, and the relationship between the customer/accused and the service provider.” (at para 58) He found that seven of the judges in Gomboc had decided the reasonable expectation of privacy issue on the basis of the relationship between the accused and the utility company. At the same time, five of the justices had found that the data was of a kind that had the potential to reveal personal activities taking place in the home. He noted that: “In coming to that conclusion, the five judges looked beyond the data itself to the reasonable inferences available from the data and what those inferences could say about activities within the home.” (at para 66) He noted that this was the approach taken by the unanimous Supreme Court in R. v. Spencer, a decision handed down after the trial judge had reached his decision in Orlandis-Habsburgo. He also observed that the relationship between the customer and the service provider in Orlandis-Habsburgo was different in significant respects from that in Gomboc, allowing the two cases to be distinguished. In Gomboc, a provincial regulation provided that information from utility companies could be shared with the police unless customers explicitly requested to opt-out of such information sharing. No such regulation existed in this case.

Justice Doherty adopted the four criteria set out in Spencer for assessing the reasonable expectation of privacy. There are: “(1) the subject matter of the alleged search; (2) the claimant's interest in the subject matter; (3) the claimant's subjective expectation of privacy in the subject matter; and (4) whether this subjective expectation of privacy was objectively reasonable, having regard to the totality of the circumstances.” (Spencer, at para 18) On the issue of the subject matter of the search, the Court found that the energy consumption data included “both the raw data and the inferences that can be drawn from that data about the activity in the residence.” (at para 75) Because the data and inferences were about a person’s home, the Court found that this factor favoured a finding of a reasonable expectation of privacy. With respect to the interest of the appellants in the data, the Court found that they had no exclusive rights to these data – the energy company had a right to use the data for a variety of internal purposes. The Court described these data as being “subject to a complicated and interlocking myriad of contractual, legislative and regulatory provisions” (at para 80), which had the effect of significantly qualifying (but not negating) any expectation of privacy. Justice Doherty found that the appellants had a subjective expectation of privacy with respect to any activities carried out in their home, and he also found that this expectation of privacy was objectively reasonable. In this respect, he noted that although there were different documents in place that related to the extent to which Horizon could share data with the police, “one must bear in mind that none are the product of a negotiated bargain between Horizon and its customers.” (at para 84) The field of energy provision is highly regulated, and the court noted that “[t]he provisions in the documents to which the customers are a party, permitting Horizon to disclose data to the police, cannot be viewed as a ‘consent’ by the customer, amounting to a waiver of any s. 8 claim the customer might have in the information.” (at para 84) That being said, the Court also cautioned against taking any of the terms of the documents to mean that there was a reasonable expectation of privacy. Justice Doherty noted that “The ultimate question is not the scope of disclosure of personal information contemplated by the terms of the documents, but rather what the community should legitimately expect in terms of personal privacy in the circumstances.” (at para 85) He therefore described the terms of these documents as relevant, but not determinative.

The documents at issue included terms imposed on the utility by the Ontario Energy Board. Under these terms, Horizon is barred from using customer information for purposes other than those for which it was obtained without the customer’s consent. While there is an exception to the consent requirement where the information is “required to be disclosed. . . for law enforcement purposes”, Justice Doherty noted that in this case the police had, at most, requested disclosure – at no point was the information required to be disclosed. He found that the terms of the licence distinguished this case from Gomboc and supported a finding of a reasonable expectation of privacy in the data.

The Court also looked at the Distribution System Code (DSC) which permits disclosure to police of “possible unauthorized energy use”. However, Justice Doherty noted that this term was not defined, and no information was provided in the document as to when it was appropriate to contact police. He found this provision unhelpful in assessing the reasonable expectation of privacy. The Court found the Conditions of Service to be similarly unhelpful. By contrast, the privacy policy provided that the company would protect its customers’ personal information, and explicitly set out the circumstances in which it might disclose information to third parties. One of these was a provision for disclosure “to personas as permitted or required by Applicable Law”. Those applicable laws included the provincial Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA) Justice Doherty looked to the Supreme Court of Canada’s interpretation of PIPEDA in Spencer. He found that the exception in PIPEDA that permitted disclosure of information to law enforcement could only occur with “lawful authority” and that “[t]he informal information-sharing arrangement between Horizon and the police described in the evidence is inconsistent with both the terms of Horizon’s licence and the disclosure provisions in PIPEDA.” (at para 104) He also found that it did not amount to “lawful authority” for a request for information.

The respondents argued that s. 32(g) of MFIPPA provided a basis for disclosure. This provision permits disclosures to law enforcement agencies without referencing any need for “lawful authority”. However, Justice Doherty noted that, like PIPEDA, MFIPPA has as its primary goal the protection of personal information. He stated: “That purpose cannot be entirely negated by an overly broad and literal reading of the provisions that create exceptions to the confidentiality requirement.” (at para 106) He noted that while s. 32(g) provides an entity with discretion to release information in appropriate circumstances, the exercise of this discretion requires “an independent and informed judgment” (at para 107) in relation to a specific request for information. The provision could not support the kind of informal, ongoing data-sharing relationship that existed between Horizon and the police. Similarly, the court found that the disclosure could not be justified under the exception in s. 7(3)(d)(i) of PIPEDA that allowed a company to disclose information where it had “reasonable grounds to believe that the information relates to . . . a contravention of the laws of Canada”. While Justice Doherty conceded that such disclosures might be possible, in the circumstances, Horizon “did not make any independent decision to disclose information based on its conclusion that reasonable grounds existed to believe that the appellants were engaged in criminal activity.” (at para 110) It simply passed along data that it thought might be of interest to the police.

Although the Court of Appeal concluded that there was a reasonable expectation of privacy in the energy consumption data, and that the search was unreasonable, it ultimately found that the admission of the evidence would not bring the administration of justice into disrepute. As a result, the convictions were upheld. The court cited, in support of its conclusion that the trial judge had reached his decision prior to the Supreme Court of Canada’s decision in Spencer, and that the error in the judge’s approach was only evident after reading Spencer.

 

Published in Privacy

Note: The following are my speaking notes for my appearance on February 23, 2026 before the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI). ETHI is currently engaged in a review of PIPEDA. My colleague Dr. Florian Martin-Bariteau also appeared before the same committee. His remarks are found here.

Thank you for the invitation to meet with you today and to contribute to your study of the Personal Information Protection and Electronic Documents Act. I am a professor at the University of Ottawa, Faculty of Law, where I hold the Canada Research Chair in Information Law. I am appearing in my personal capacity.

We are facing a crisis of legitimacy when it comes to personal data protection in Canada. Every day there are new stories about data hacks and breaches, and about the surreptitious collection of personal information by devices in our homes and on our persons that are linked to the Internet of Things. There are stories about how big data profiling impacts the ability of individuals to get health insurance, obtain credit or find employment. There are also concerns about the extent to which state authorities access our personal information in the hands of private sector companies. PIPEDA, as it currently stands, is inadequate to meet these challenges

My comments are organized around the theme of transparency. Transparency is fundamentally important to data protection and it has always played an important role under PIPEDA. At a fundamental level, transparency means openness and accessibility. In the data protection context it means requiring organizations to be transparent about the collection, use and disclosure of personal information; and it means the Commissioner must be transparent about his oversight functions under the Act. I will also argue that it means that state actors (including law enforcement and national security organizations) must be more transparent about their access to and use of the vast stores of personal information in the hands of private sector organizations.

Under PIPEDA, transparency is at the heart of the consent-based data protection scheme. Transparency is central to the requirement for companies to make their privacy policies available to consumers, and to obtain consumer consent to collection, use or disclosure of personal information. Yet this type of transparency has come under significant pressure and has been substantially undermined by technological change on the one hand, and by piecemeal legislative amendment on the other.

The volume of information that is collected through our digital, mobile and online interactions is enormous, and its actual and potential uses are limitless. The Internet of Things means that more and more, the devices we have on our person and in our homes are collecting and transmitting information. They may even do so without our awareness, and often on a continuous basis. The result is that there are fewer clear and well-defined points or moments at which data collection takes place, making it difficult to say that notice has been provided and consent obtained in any meaningful way. In addition, the number of daily interactions and activities that involve data collection have multiplied beyond the point at which we are capable of reading and assessing each individual privacy policy. And, even if we did have the time, privacy policies are often so long, complex, and vague that reading them does not provide much of an idea of what is being collected and shared, with or by whom, or for what purposes.

In this context consent has become a joke, although unfortunately the joke is largely on the consumer. The only parties capable of saying that our current consent-based model still works are those that benefit from consumer resignation in the face of this ubiquitous data harvesting.

The Privacy Commissioner’s recent consultation process on consent identifies a number of possible strategies to address the failure of the current system. There is no quick or easy fix – no slight changing of wording that will address the problems around consent. This means that on the one hand, there need to be major changes in how organizations achieve meaningful transparency about their data collection, use and disclosure practices. There must also be a new approach to compliance that gives considerably more oversight and enforcement powers to the Commissioner. The two changes are inextricably linked. The broader public protection mandate of the Commissioner requires that he have necessary powers to take action in the public interest. The technological context in which we now find ourselves is so profoundly different from what it was when this legislation was enacted in 2001 that to talk of only minor adjustments to the legislation ignores the transformative impacts of big data and the Internet of Things.

A major reworking of PIPEDA may in any event be well be overdue, and it might have important benefits that go beyond addressing the problems with consent. I note that if one was asked to draft a statute as a performance art piece that evokes the problems with incomprehensible, convoluted and contorted privacy policies and their effective lack of transparency, then PIPEDA would be that statute. As unpopular as it might seem to suggest that it is time to redraft the legislation so that it no longer reads like the worst of all privacy policies, this is one thing that the committee should consider.

I make this recommendation in a context in which all those who collect, use or disclose personal information in the course of commercial activity – including a vast number of small businesses with limited access to experienced legal counsel – are expected to comply with the statute. In addition, the public ideally should have a fighting chance of reading this statute and understanding what it means in terms of the protection of their personal information and their rights of recourse. As it is currently drafted PIPEDA is a convoluted mishmash in which the normative principles are not found in the law itself, but are rather tacked on in a Schedule. To make matters worse, the meaning of some of the words in the Schedule, as well as the principles contained therein are modified by the statute so that it is not possible to fully understand rules and exceptions without engaging in a complex connect-the-dots exercise. After a series of piecemeal amendments, PIPEDA now consists in large part of a growing list of exceptions to the rules around collection, use or disclosure without consent. While the OPC has worked hard to make the legal principles in PIPEDA accessible to businesses and to individuals, the law itself is not accessible In a recent case involving an unrepresented applicant, Justice Roy of the Federal Court expressed the opinion that for a party to “misunderstand the scope of the Act is hardly surprising.”

I have already mentioned the piecemeal amendments to PIPEDA over the years as well as concerns over transparency. In this respect it is important to note that the statute has been amended so as to increase the number of exceptions to the consent that would otherwise be required for the collection, use or disclosure of personal information. For example, paragraphs 7(3)(d.1) and (d.2) were added in 2015, and permit organizations to share personal information between themselves for the purposes of investigating breaches of an agreement or actual or anticipated contraventions of the laws of Canada or a province, or to detect or supress fraud. These are important objectives, but I note that no transparency requirements were created in relation to these rather significant powers to share personal information without knowledge or consent. In particular, there is no requirement to notify the Commissioner of such sharing. The scope of these exceptions creates a significant transparency gap that undermines personal information protection. This should be fixed.

PIPEDA also contains exceptions that allow organizations to share personal information with government actors for law enforcement or national security purposes without notice or consent of the individual. These exceptions also lack transparency safeguards. Given the huge volume of highly detailed personal information, including location information that is now collected by private sector organizations, the lack of mandatory transparency requirements is a glaring privacy problem. The Department of Industry, Science and Economic Development has created a set of voluntary transparency guidelines for organizations that choose to disclose the number of requests they receive and how they deal with them. It is time for there to be mandatory transparency obligations around such disclosures, whether it be public reporting or reporting to the Commissioner, or a combination of both. It should also be by both public and private sector actors.

Another major change that is needed to enable PIPEDA to meet the contemporary data protection challenges relates to the powers of the Commissioner. When PIPEDA was enacted in 2001 it represented a fundamental change in how companies were to go about collecting, using and disclosing personal information. This major change was made with great delicacy; PIPEDA reflected an ombuds model which allowed for a light touch with an emphasis on facilitating and cajoling compliance rather than imposing and enforcing it. Sixteen years later and with exabytes of personal data under the proverbial bridge, it is past time for the Commissioner to be given a new set of tools in order to ensure an adequate level of protection for personal information in Canada.

First, the Commissioner should have the authority to impose fines on organizations in circumstances where there has been substantial or systemic non-compliance with privacy obligations. Properly calibrated, such fines can have an important deterrent effect, which is currently absent in PIPEDA. They also represent transparent moments of accountability that are important in maintaining public confidence in the data protection regime.

The toolbox should also include the power for the Commissioner to issue binding orders. I am sure that you are well aware that the Commissioners in Quebec, Alberta and British Columbia already have such powers. As it stands, the only route under PIPEDA to a binding order runs through the Federal Court, and then only after a complaint has passed through the Commissioner’s internal process. This is an overly long and complex route to an enforceable order, and it requires an investment of time and resources that places an unfair burden on individuals.

I note as well that PIPEDA currently does not provide any guidance as to damage awards. The Federal Court has been extremely conservative in damage awards for breaches of PIPEDA, and the amounts awarded are unlikely to have any deterrent effect other than to deter individuals who struggle to defend their personal privacy. Some attention should be paid to establishing parameters for non-pecuniary damages under PIPEDA. At the very least, these will assist unrepresented litigants in understanding the limits of any recourse available to them.

Thank you for your attention, and I welcome any questions.

Published in Privacy

The Federal Court of Canada has ordered a Romanian company and its sole proprietor to cease publishing online any Canadian court or tribunal decisions containing personal information. It has also awarded damages against the company’s owner. The decision flows from an application made pursuant to s. 14 of the Personal Information Protection and Electronic Documents Act (PIPEDA). The applicant had complained to the Privacy Commissioner of Canada regarding the activities of the defendant and his website Globe24h.com. The Commissioner ruled the complaint well-founded (my comment on this finding is here). However, since the Commissioner has no power to make binding orders or to award damages, the applicant pursued the matter in court. (Note that the lack of order-making powers is considered by many to be a weakness of PIPEDA, and the Commissioner has suggested to Parliament that it might be time for greater enforcement powers.)

Globe24h.com is a Romania-based website operated by the respondent Radulescu. The site re-publishes public documents from a number of jurisdictions, including Canada. The Canadian content is scraped from CanLII and from court and tribunal websites. This scraping is contrary to the terms of use of those sites. The Canadian court websites and CanLII also prevent the indexing of their websites by search engines; this means that a search for an individual by name will not turn up court or tribunal decisions in which that individual is named. This practice is meant to balance the privacy of individuals with the public interest in having broad access to court and tribunal decisions. Such decisions may contain considerable amounts of personal information as they may relate to any kind of legal dispute including family law matters, employment-related disputes, discrimination complaints, immigration proceedings, bankruptcy cases, challenges to decisions on pensions or employment insurance, criminal matters, disputes between neighbors, and so on. In contrast, the Globe24h.com website is indexed by search engines; as a result, the balance attempted to be struck by courts and tribunals in Canada is substantially undermined.

The applicant in this case was one of many individuals who had complained to the Office of the Privacy Commissioner (OPC) after finding that a web search for their names returned results containing personal information from court decisions. The applicant, like many others, had sought to have his personal information removed from the Globe24h website. However, the “free removal” option offered by the site could take half a year or more to process. The alternative was to pay to have the content removed. Those who had opted to pay for removal found that they might have to pay again and again if the same information was reproduced in more than one document or in multiple versions of the decision hosted on the Globe24h web site.

The first issue considered by the Federal Court was whether PIPEDA could apply extraterritorially to Globe24h.com. In general, a country’s laws are not meant to apply outside its boundaries. Although the Federal Court referred to the issue as one of extraterritorial application of laws, it is more akin to what my co-authors and I have called extended territoriality. In other words, PIPEDA will apply to activities carried out in Canada and with impacts in Canada – even though the actors may be located outside of Canada. The internet makes such situations much more common. In this case, Radulescu engaged in scraping data from websites based in Canada; the information he collected included personal information of Canadians. He then, through his company, charged individuals fees to have their personal information removed from his website. The Court found that in these circumstances, PIPEDA would apply.

It was clear that the respondent had collected, used and disclosed the personal information of the applicant without his consent. Although Radulescu did not appear before the Federal Court, he had interacted with the OPC during the course of the investigation of the complaint against Globe24h. In that context, he had argued that he was entitled to benefit from the exception in PIPEDA which permitted the collection, use and disclosure of personal information without consent where it is for journalistic purposes. There is little case law that addresses head-on the scope of the “journalistic purposes” exception under PIPEDA. Justice Mosely found that the criteria proposed by the Canadian Association of Journalists, and supported by the OPC, provide a “reasonable framework” to define journalistic purposes:

 

. . . only where its purpose is to (1) inform the community on issues the community values, (2) it involves an element of original production, and (3) it involves a “self-conscious discipline calculated to provide an accurate and fair description of facts, opinion and debate at play within a situation.” (at para 68)

Justice Mosley found that “journalistic purposes” required something more than making court decisions available for free over the internet without any value-added content. He also noted that the statutory exception applies only where the collection, use or disclosure of personal information is for journalistic purposes and for no other purpose. Here, he found that the respondent had other purposes – namely to profit from charging people to remove their personal information from the website.

The respondent had also argued that he was entitled to benefit from the exception to the consent requirement because the information he collected, used and disclosed was ‘publicly available’. This exception is contained in PIPEDA and in regulations pertaining to publicly available information. While court and tribunal decisions fall within the definition of publicly available information, the exception to the consent requirement is only available where the collection, use or disclosure of the information relates “directly to the purpose for which the information appears in the record or document.” (Regs, s. 1(d)). In this case, Justice Mosley found that the respondent’s purpose did not relate directly to the reasons why the personal information was included in the decisions. Specifically, the inclusion of personal information in court decisions is to further the goals of the open courts principle, whereas, in the words of Justice Mosley, the respondent’s purpose “serves to undermine the administration of justice by potentially causing harm to participants in the justice system.” (at para 78)

PIPEDA contains a requirement that limits data collection, use or disclosure by an organization to only where it is “for purposes that a reasonable person would consider are appropriate in the circumstances.” (s. 5(3)). Justice Mosely noted that the Canadian Judicial Council’s policies on the online publication of court decisions strongly discourages the indexing of such decisions by search engines in order to strike a balance between open courts and privacy. This led Justice Mosely to conclude that the respondent did not have a bona fide business interest in making court decisions available in a way that permitted their indexing by search engines. Therefore the collection, use and disclosure of this information was not for purposes that a reasonable person would consider to be appropriate.

Having found that the respondent had breached PIPEDA, Justice Mosley next considered the issue of remedies. The situation was complicated in this case by the fact that the respondent is based in Romania. This raised issues of whether the court should make orders that would have an impact in Romania, as well as the issue of enforceability. The applicant was also pursuing separate remedies in Romania, and Justice Mosley noted that a court order from Canada might assist in these objectives. The OPC argued that it would be appropriate for the Court to make an order with a broader impact than just the applicant’s particular circumstances. The number of other complaints received by both CanLII and the OPC about personal information contained in decisions hosted on the Romanian site were indicative of a systemic issue. Justice Mosley was also influenced by the OPC’s argument that a broad order could be used by the applicant and by others to persuade search engines to de-index the pages of the respondent’s websites. Accepting that PIPEDA enabled him to address systemic and not just individual problems, Justice Mosely issued a declaration that the respondent had violated PIPEDA, and ordered that he remove all Canadian court and tribunal decisions that contain personal information. He also ordered that the respondent take steps to ensure that these decisions are removed from search engine caches. The respondent was also ordered to refrain from any further copying or publishing of Canadian court or tribunal decisions containing personal information in a manner that would violate PIPEDA.

The applicant also sought damages for breach of PIPEDA. Damages awards have been a weak spot under PIPEDA. The Federal Court has been extremely conservative in awarding damages; this tendency has not been helped by the fact that the overwhelming majority of applications have been brought by self-represented litigants. In this case, Justice Mosley accepted that the breach was egregious, and noted the practice of the respondent to profit from exploiting the personal information of Canadians. He also noted that the level of disclosure of personal information was extensive because of the bulk downloading and publishing of court decisions. Finally, he noted that the respondent “has also acted in bad faith in failing to take responsibility and rectify the problem” (at para 103). In the circumstances, one might have expected an order of damages far in excess of the modest $5000 ultimately ordered by Justice Mosely. This amount seems disproportionate to the nature of the breach, as well as to the impact it had on the applicant and the extensive steps he has had to take to try to address the problem. Even though recovering any amount from the respondent might be no more than a pipe dream in the circumstances, the amount set in this case would seem to lack any deterrent effect and is hardly proportionate to the nature of the breach.

Overall, this decision is an important one. It confirms the application of PIPEDA to the collection, use or disclosure of personal information of Canadians that is linked to Canada, even where the respondent is located in another country. It also provides clarification of the exceptions to consent for journalistic purposes and for publicly available information. In this regard, the court’s careful reading of these exceptions prevents them from being used as a broad licence to exploit personal information. The court’s reasoning with respect to its declaration and its order is also useful, particularly as it applies to the sanctioning of offshore activities. The only weakness is in the award of damages; this is a recurring issue with PIPEDA and one that may take legislative intervention to address.

Published in Privacy

Yesterday I appeared before the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics, along with Professor David Lyon of Queen’s University and Professor Lisa Austin of the University of Toronto. The Committee is considering long overdue reform of the Privacy Act, and we had been invited to speak on this topic.

All three of us urged the Committee to take into account the very different technological environment in which we now find ourselves. Professor Lyon cogently addressed the changes brought about by the big data context. Although the Privacy Act as it currently stands largely address the collection, use and disclosure of personal information for “administrative purposes” all three of us expressed concerns over the access to and use by government of information in the hands of the private sector, and the use of information in big data analytics. Professor Austin in particular emphasized the need to address not just the need for accuracy in the data collected by government but also the need to assess “algorithmic accuracy” – the quality/appropriateness of algorithms used to analyse large stores of data and to draw conclusions or predictions from this data. She also made a clear case for bringing Charter considerations into the Privacy Act – in other words, for recognizing that in some circumstances information collection, disclosure or sharing that appears to be authorized by the Privacy Act might nevertheless violate the Canadian Charter of Rights and Freedoms. There was also considerable discussion of information-sharing practices both within government and between our government and other foreign or domestic governments.

The Committee seemed very interested and engaged with the issues, which is a good sign. Reform of the Privacy Act will be a challenging task. The statute as a public sector data protection statute is sorely out of date. However, it is also out of context – in other words, it was drafted to address an information context that is radically different from that in which we find ourselves today. Many of the issues that were raised before the Committee yesterday go well beyond the original boundaries of the Privacy Act, and the addition of a few provisions or a few tweaks here and there will not come close to solving some of these privacy issues – many of which overlap with issues of private sector data protection, criminal law and procedure, and national security.

The notes related to my own remarks to the Committee are available below.

Written Notes for Comments by Professor Teresa Scassa to the House of Commons’ Standing Committee on Access to Information, Privacy and Ethics, June 14, 2016

Thank you for the opportunity to address this Committee on the issue of reform of the Privacy Act.

I have reviewed the Commissioner’s recommendations on Privacy Act reform and I am generally supportive of these proposals. I will focus my remarks today on a few specific issues that are united by the theme of transparency. Greater transparency with respect to how personal information is collected, used and disclosed by government enhances privacy by exposing practices to comment and review and by enabling appropriate oversight and accountability. At the same time, transparency is essential to maintaining public confidence in how government handles personal information.

The call for transparency must be situated within our rapidly changing information environment. Not only does technology now enable an unprecedented level of data collection and storage, enhanced analytic capacity has significantly altered the value of information in both public and private sectors. This increased value provides temptations to over-collect personal information, to share it, mine it or compile it across departments and sectors for analysis, and to retain it beyond the period required for the original purposes of its collection.

In this regard, I would emphasize the importance of the recommendation of the Commissioner to amend the Privacy Act to make explicit a “necessity” requirement for the collection of personal information, along with a clear definition of what ‘necessary’ means. (Currently, s. 4(1) of the Privacy Act requires only that personal information “relate[] directly to an operating program or activity of the institution”.) The goal of this recommendation is to curtail the practice of over-collection of personal information. Over-collection runs counter to the expectations of the public who provide information to government for specific and limited purposes. It also exposes Canadians to enhanced risks where negligence, misconduct or cyberattack result in data breaches. Data minimization is an important principle that is supported by data protection authorities around the world and that is reflected in privacy legislation. The principle should be explicit and up front in a reformed Privacy Act. Data minimization also has a role to play in enhancing transparency: not only do clear limits on the collection of personal information serve transparency goals; over-collection encourages the re-purposing of information, improper use and over-sharing.

The requirement to limit collection of information to specific and necessary purposes is tied to the further requirement on government to collect personal information directly from the individual “where possible” (s. 5(1)). This obviously increases transparency as it makes individuals directly aware of the collection. However, this requirement relates to information collected for an “administrative purpose”. There may be many other purposes for which government collections information, and these fall outside the privacy protective provisions of the Privacy Act. This would include circumstances that is disclosed to a government investigative body at its request in relation to an investigation or the enforcement of any law, or that is disclosed to government actors under court orders or subpoenas. Although such information gathering activities may broadly be necessary, they need to be considered in the evolving data context in which we find ourselves, and privacy laws must adapt to address them.

Private sector companies now collect vast stores of personal information, and this information often includes very detailed, core-biographical information. It should be a matter of great concern, therefore, that the permissive exceptions in both PIPEDA and the Criminal Code enable the flow of massive amounts of personal information from the private sector to government without the knowledge or consent of the individual. Such requests/orders are often (although not always) made in the course of criminal or national security investigations. The collection is not transparent to the individuals affected, and the practices as a whole are largely non-transparent to the broader public and to the Office of the Privacy Commissioner (OPC).

We have heard the most about this issue in relation to telecommunications companies, which are regularly asked or ordered to provide detailed information to police and other government agents. It should be noted, however, that many other companies collect personal information about individuals that is highly revelatory about their activities and choices. It is important not to dismiss this issue as less significant because of the potentially anti-social behaviour of the targeted individuals. Court orders and requests for information can and do encompass the personal information of large numbers of Canadians who are not suspected of anything. The problem of tower dump warrants, for example, was recently highlighted in a recent case before the Ontario Supreme Court (R. v. Rogers Communication (2016 ONSC 70))(my earlier post on this decision can be found here). The original warrant in that case sought highly detailed personal information of around 43,000 individuals, the vast majority of whom had done nothing other than use their cell phones in a certain area at a particular time. Keep in mind that the capacity to run sophisticated analytics will increase the attractiveness of obtaining large volumes of data from the private sector in order to search for an individual linked to a particular pattern of activity.

Without adequate transparency regarding the collection of personal information from the private sector, there is no way for the public to be satisfied that such powers are not abused. Recent efforts to improve transparency (for example, the Department of Innovation, Science and Economic Development’s voluntary transparency reporting guidelines) have focused on private sector transparency. In other words, there has been an attempt to provide a framework for the voluntary reporting by companies of the number of requests they receive from government authorities, the number they comply with, and so on. But these guidelines are entirely voluntary, and they also only address transparency reporting by the companies themselves. There are no legislated obligations on government actors to report in a meaningful way – whether publicly or to the OPC – on their harvesting of personal information from private sector companies. I note that the recent attempt by the OPC to audit the RCMP’s use of warrantless requests for subscriber data came to an end when it became clear that the RCMP did not keep specific records of these practices.

In my view, a modernization of the Privacy Act should directly address this enhanced capacity of government institutions to access the vast stores of personal information in the hands of the private sector. The same legislation that permits the collection of personal information from private sector companies should include transparency reporting requirements where such collection takes places. In addition, legislative guidance should be provided on how government actors who obtain personal information from the private sector either by request or under court order should deal with this information. Specifically, limits on the use and retention of this data should be imposed.

It is true that both the Criminal Code and PIPEDA enable police forces and investigative bodies under both federal and provincial jurisdiction to obtain personal information from the private sector under the same terms and conditions, and that reform of the Privacy Act in this respect will not address transparency and accountability of provincial actors. This suggests that issues of transparency and accountability of this kind might also fruitfully be addressed in the Criminal Code and in PIPEDA, but this is no reason not to also address it in the Privacy Act. To the extent that government institutions are engaged in the indirect collection of personal information, the Privacy Act should provide for transparency and accountability with respect to such activities.

Another transparency issue raised by the Commissioner relates to information-sharing within government. Technological changes have made it easier for government agencies and departments to share personal information – and they do so on what the Commissioner describes as a “massive” scale. The Privacy Act enables personal information sharing within and between governments, domestically and internationally, in specific circumstances – for investigations and law enforcement, for example, or for purposes consistent with those for which it was collected. (Section 8(2)(a) allows for sharing “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”). Commissioner Therrien seeks amendments that would require information-sharing within and between governments to take place according to written agreements in a prescribed form. Not only would this ensure that information sharing is compliant with the legislation, it would offer a measure of transparency to a public that has a right to know whether and in what circumstances information they provide to one agency or department will be shared with another – or whether and under what conditions their personal information may be shared with provincial or foreign governments.

Another important transparency issue is mandatory data breach reporting. Treasury Board Secretariat currently requires that departments inform the OPC of data security breaches; yet the Commissioner has noted that not all comply. As a result, he is asking that the legislation be amended to include a mandatory breach notification requirement. Parliament has recently amended PIPEDA to include such a requirement. Once these provisions take effect, the private sector will be held to a higher standard than the public sector unless the Privacy Act is also amended. Any amendments to the federal Privacy Act to address data security breach reporting would have to take into account the need for both the Commissioner and for affected individuals to be notified where there has been a breach that meets a certain threshold for potential harm, as will be the case under PIPEDA. The PIPEDA amendments will also require organizations to keep records of all breaches of security safeguards regardless of whether they meet the harm threshold that triggers a formal reporting requirement. Parliament should impose a requirement on those bodies governed by the Privacy Act to both keep and to submit records of this kind to the OPC. Such records would be helpful in identifying patterns or trends either within a single department or institution or across departments or institutions. The ability to identify issues proactively and to address them either where they arise or across the federal government can only enhance data security – something which is becoming even more urgent in a time of increased cybersecurity threats.

 

Published in Privacy

 

The Federal Court has released a decision in a case that raises important issues about transparency and accountability under Canada’s private sector privacy legislation.

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs privacy with respect to the collection, use and disclosure of personal information by private sector organizations. Under PIPEDA, individuals have the right to access their personal information in the hands of private sector organizations. The right of access allows individuals to see what information organizations have collected about them. It is accompanied by a right to have incorrect information rectified. In our datified society, organizations make more and more decisions about individuals based upon often complex profiles built with personal information from a broad range of sources. The right of access allows individuals to see whether organizations have exceeded the limits of the law in collecting and retaining personal information; it also allows them the opportunity to correct errors that might adversely impact decision-making about them. Unfortunately, our datified society also makes organizations much more likely to insist that the data and algorithms used to make decisions or generate profiles, along with the profiles themselves, are all confidential business information and thus exempt from the right of access. This is precisely what is at issue in Bertucci v. Royal Bank of Canada.

The dispute in this case arose after the Bertuccis – a father and son who had banked with RBC for 35 and 20 years respectively, and who also held business accounts with the bank – were told by RBC that the bank would be closing their accounts. The reason given for the account closure was that the bank was no longer comfortable doing business with them. Shortly after this, the Bertuccis made a request, consistent with their right of access under PIPEDA, to be provided with all of their personal information in the hands of RBC, including information as to why their bank accounts were closed. RBC promptly denied the request, stating that it had already provided its reason for closing the accounts and asserting that it had a right under its customer contracts to unilaterally close accounts without notice. It also indicated that it had received no personal information from third parties about the Bertuccis and that all of the information that they sought was confidential commercial information.

RBC relied upon paragraph 9(3)(b) of PIPEDA, which essentially allows an organization to refuse to provide access to personal information where “to do so would reveal confidential commercial information”. On receiving RBC’s refusal to provide access, the Bertuccis complained to the Office of the Privacy Commissioner. The OPC investigated the complaint and ultimately sided with RBC, finding that it was justified in withholding the information. In reaching this conclusion, the OPCC relied in part on an earlier Finding of the Privacy Commissioner which I have previously critiqued, precisely because of its potential implications for transparency and accountability in the evolving big data context.

In reaching it conclusion on the application of paragraph 9(3)(b) of PIPEDA, the OPC apparently accepted that the information at issue was confidential business information, noting that it was “treated as confidential by RBC, including information about the bank’s internal methods for assessing business-related risks.” (At para 10)

After having their complaint declared unfounded by the OPC, the applicants took the issue to the Federal Court. Justice Martineau framed the key question before the court in these terms: “Can RBC refuse to provide access to undisclosed personal information it has collected about the applicants on the grounds that its disclosure in this case would reveal confidential commercial information” (at para 16)

RBC’s position was that it was not required to justify why it might close an account. It argued that if it is forced to disclose personal information about a decision to close an account, then it is effectively stripped of its prerogative to not provide reasons. It also argued that any information that it relied upon in its risk assessment process would constitute confidential business information. This would be so even if the information were publicly available (as in the case of a newspaper article about the account holder). The fact that the newspaper article was relied upon in decision-making would be what constituted confidential information – providing access to that article would de facto disclose that information.

The argument put forward by RBC is similar to the one accepted by the OPC in its earlier (2002) decision which was relied upon by the bank and which I have previously criticized here. It is an argument that, if accepted, would bode very ill for the right of access to personal information in our big data environment. Information may be compiled from all manner of sources and used to create profiles that are relied upon in decision-making. To simply accept that information used in this way is confidential business information because it might reveal how the company reaches decisions slams shut the door on the right of access and renders corporate decision-making about individuals, based upon the vast stores of collected personal information, essentially non-transparent.

The Bertuccis argued that PIPEDA – which the courts have previously found to have a quasi-constitutional status in protecting individual privacy – makes the right of access to one’s personal information the rule. An exception to this rule would have to be construed narrowly. The applicants wanted to know what information led to the closure of their accounts and sought as well to exercise their right to have this information corrected if it was inaccurate. They were concerned that the maintenance on file of inaccurate information by RBC might continue to haunt them in the future. They also argued that RBC’s approach created a two-tiered system for access to personal information. Information that could be accessed by customers whose accounts were not terminated would suddenly become confidential information once those accounts were closed, simply because it was used in making that decision. They argued that the bank should not be allowed to use exceptions to the access requirement to shelter itself from embarrassment at having been found to have relied upon faulty or inadequate information.

Given how readily the OPC – the guardian of Canadians’ personal information in the hands of private sector organizations – accepted RBC’s characterization of this information as confidential, Justice Martineau’s decision is encouraging. He largely agreed with the position of the applicants, finding that the exceptions to the right to access to one’s personal information must be construed narrowly. Significantly, Justice Martineau found that courts cannot simply defer to a bank’s assertion that certain information is confidential commercial information. He placed an onus on RBC to justify why each withheld document was considered confidential. He noted that in some circumstances it will be possible to redact portions of reports, documents or data that are confidential while still providing access to the remainder of the information. In this case, Justice Martineau was not satisfied that the withheld information met the standard for confidential commercial information, nor was he convinced that some of it could not have been provided in redacted form.

Reviewing the documents at issue, Justice Martineau began by finding that a list of the documents relied upon by the bank in reaching its decision was not confidential information, subject to certain redactions. He noted as well that much of what was being withheld by the bank was “raw data”. He distinguished the raw data from the credit scoring model that was found to be confidential information in the 2002 OPC Finding mentioned above. He noted as well that the raw data was not confidential information and had not, when it was created, been treated as confidential information by the bank. He also noted that the standard for withholding information on an access request was very high.

Justice Martineau gave RBC 45 days to provide the applicants with all but a few of the documents which the court agreed could be withheld as confidential commercial information. Although the applicants had sought compensatory and punitive damages, he found that it was not an appropriate case in which to award damages.

Given the importance of this decision in the much broader big data and business information context, RBC is likely to appeal it to the Federal Court of Appeal. If so, it will certainly be an important case to watch. The issues it raises are crucial to the future of transparency and accountability of corporations with respect to their use of personal information. In light of the unwillingness of the OPC to stand up to the bank both in this case and in earlier cases regarding assertions of confidential commercial information, Justice Martineau’s approach is encouraging. There is a great deal at stake here, and this case will be well worth watching if it is appealed.

 

 

 

 

Published in Privacy
<< Start < Prev 1 2 3 4 5 6 7 Next > End >>
Page 6 of 7

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law