Teresa Scassa - Blog

The post is the second in a series that looks at the recommendations contained in the report on the Personal Information Protection and Electronic Documents Act (PIPEDA) issued by the House of Commons Standing Committee on Access to Information and Privacy Ethics (ETHI). My first post considered ETHI’s recommendation to retain consent at the heart of PIPEDA with some enhancements. At the same time, ETHI recommended some new exceptions to consent. This post looks at one of these – the exception relating to publicly available information.

Although individual consent is at the heart of the PIPEDA model – and ETHI would keep it there – the growing number of exceptions to consent in PIPEDA is reason for concern. In fact, the last round of amendments to PIPEDA in the 2015 Digital Privacy Act, saw the addition of ten new exceptions to consent. While some of these were relatively uncontroversial (e.g. making it clear that consent was not needed to communicate with the next of kin of an injured, ill or deceased person) others were much more substantial in nature. In its 2018 report ETHI has made several recommendations that continue this trend – creating new contexts in which individual consent will no longer be required for the collection, use or disclosure of personal information. In this post, I focus on one of these – the recommendation that the exception to consent for the use of “publicly available information” be dramatically expanded to include content shared by individuals on social media. In light of the recent Facebook/Cambridge Analytica scandal, this recommended change deserves some serious resistance.

PIPEDA already contains a carefully limited exception to consent to the collection, use or disclosure of personal information where it is “publicly available” as defined in the Regulations Specifying Publicly Available Information. These regulations identify five narrowly construed categories of publicly available information. The first is telephone directory information (but only where the subscriber has the option to opt out of being included in the directory). The second is name and contact information that is included in a professional business directory listing that is available to the public; nevertheless, such information can only be collected, used or disclosed without consent where it relates “directly to the purpose for which the information appears in the registry” (i.e. contacting the individual for business purposes). There is a similar exception for information in a public registry established by law (for example, a land titles registry); this information can similarly only be collected, used or disclosed for purposes related to those for which it appears in the record or document. Thus, consent is not required to collect land registry information for the purposes of concluding a real estate transaction. However, it is not permitted to extract personal information from such a registry, without consent, to use for marketing. A fourth category of publicly available personal information is information appearing in court or tribunal records or documents. This respects the open courts principle, but the exception is limited to collection, use or disclosure that relates directly to the purpose for which the information appears in the record or document. This means that online repositories of court and tribunal decisions cannot be mined for personal information; however, personal information can be used without consent to further the open courts principle (for example, a reporter gathering information to use in a newspaper story).

This brings us to the fifth category of publicly available information – the one ETHI would explode to include vast quantities of personal information. Currently, this category reads:

e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

ETHI’s recommendation is to make this “technologically neutral” by having it include content shared by individuals over social media. According to ETHI, a “number of witnesses considered this provision to be “obsolete.” (at p. 27) Perhaps not surprisingly, these witnesses represented organizations and associations whose members would love to have unrestricted access to the contents of Canadians’ social media feeds and pages. The Privacy Commissioner was less impressed with the arguments for change. He stated: “we caution against the common misconception that simply because personal information happens to be generally accessible online, there is no privacy interest attached to it.” (at p. 28) The Commissioner recommended careful study with a view to balancing “fundamental individual and societal rights.” This cautious approach seems to have been ignored. The scope of ETHI’s proposed change is particularly disturbing given the very carefully constrained exceptions that currently exist for publicly available information. A review of the Regulations should tell any reader that this was always intended to be a very narrow exception with tightly drawn boundaries; it was never meant to create a free-for-all open season on the personal information of Canadians.

The Cambridge Analytica scandal reveals the harms that can flow from unrestrained access to the sensitive and wide-ranging types and volumes of personal information that are found on social media sites. Yet even as that scandal unfolds, it is important to note that everyone (including Facebook) seems to agree that user consent was both required and abused. What ETHI recommends is an exception that would obviate the need for consent to the collection, use and disclosure of the personal information of Canadians shared on social media platforms. This could not be more unwelcome and inappropriate.

Counsel for the Canadian Life and Health Insurance Association, in addressing ETHI, indicated that the current exception “no longer reflects reality or the expectations of the individuals it is intended to protect.” (at p. 27) A number of industry representatives also spoke of the need to make the exception “technologically neutral”, a line that ETHI clearly bought when it repeated this catch phrase in its recommendation. The facile rhetoric of technological neutrality should always be approached with enormous caution. The ‘old tech’ of books and magazines involved: a) relatively little exposure of personal information; b) carefully mediated exposure (through editorial review, fact-checking, ethical policies, etc.); c) and time and space limitations that tended to focus publication on the public interest. Social media is something completely different. It is a means of peer-to-peer communication and interaction which is entirely different in character and purpose from a magazine or newspaper. To treat it as the digital equivalent is not technological neutrality, it is technological nonsensicality.

It is important to remember that while the exception to consent for publicly available information exists in PIPEDA; the definition of its parameters is found in a regulation. Amendments to legislation require a long and public process; however, changes to regulations can happen much more quickly and with less room for public input. This recommendation by ETHI is therefore doubly disturbing – it could have a dramatic impact on the privacy rights of Canadians, and could do so more quickly and quietly than through the regular legislative process. The Privacy Commissioner was entirely correct in stating that there should be no change to these regulations without careful consideration and a balancing of interests, and perhaps no change at all.

Published in Privacy

In February 2018 the Standing Committee on Access to Information, Privacy and Ethics (ETHI) issued its report based on its hearings into the state of Canada’s Personal Information Protection and Electronic Documents Act. The Committee hearings were welcomed by many in Canada’s privacy community who felt that PIPEDA had become obsolete and unworkable as a means of protecting the personal information of Canadians in the hands of the private sector. The report, titled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act seems to come to much the same conclusion. ETHI ultimately makes recommendations for a number of changes to PIPEDA, some of which could be quite significant.

This blog post is the first in a series that looks at the ETHI Report and its recommendations. It addresses the issue of consent.

The enactment of PIPEDA in 2001 introduced a consent-based model for the protection of personal information in the hands of the private sector in Canada. The model has at its core a series of fair information principles that are meant to guide businesses in shaping their collection, use and disclosure of personal information. Consent is a core principle; other principles support consent by ensuring that individuals have adequate and timely notice of the collection of personal information and are informed of the purposes of collection.

Unfortunately, the principle of consent has been drastically undermined by advances in technology and by a dramatic increase in the commercial value of personal information. In many cases, personal information is now actual currency and not just the by-product of transactions, changing the very fundamentals of the consent paradigm. In the digital environment, the collection of personal information is also carried out continually. Not only is personal information collected with every digital interaction, it is collected even while people are not specifically interacting with organizations. For example, mobile phones and their myriad apps collect and transmit personal information even while not in use. Increasingly networked and interconnected appliances, entertainment systems, digital assistants and even children’s toys collect and communicate steady streams of data to businesses and their affiliates.

These developments have made individual consent somewhat of a joke. There are simply too many collection points and too many privacy policies for consumers to read. Most of these policies are incomprehensible to ordinary individuals; many are entirely too vague when it comes to information use and sharing; and individuals can easily lose sight of consents given months or years previously to apps or devices that are largely forgotten but that nevertheless continuing to harvest personal information in the background. Managing consent in this environment is beyond the reach of most. To add insult to injury, the resignation felt by consumers without meaningful options for consent is often interpreted as a lack of interest in privacy. As new uses (and new markets) for personal information continue to evolve, it is clear that the old model of consent is no longer adequate to serve the important privacy interests of individuals.

The ETHI Report acknowledges the challenges faced by the consent model; it heard from many witnesses who identified problems with consent and many who proposed different models or solutions. Ultimately, however, ETHI concludes that “rather than overhauling the consent model, it would be best to make minor adjustments and let the stakeholders – the Office of the Privacy Commissioner (OPC), businesses, government, etc. – adapt their practices in order to maintain and enhance meaningful consent.”(at p. 20)

The fact that the list of stakeholders does not include the public – those whose personal information and privacy are at stake – is telling. It signals ambivalence about the importance of privacy within the PIPEDA framework. In spite of being an interest hailed by the Supreme Court of Canada as quasi-constitutional in nature, privacy is still not approached by Parliament as a human right. The prevailing legislative view seems to be that PIPEDA is meant to facilitate the exchange of personal information with the private sector; privacy is protected to the extent that it is necessary to support public confidence in such exchanges. The current notion of consent places a significant burden on individuals to manage their own privacy and, by extension, places any blame for oversharing on poor choices. It is a cynically neo-liberal model of regulation in which the individual ultimately must assume responsibility for their actions notwithstanding the fact that the deck has been so completely and utterly stacked against them.

The OPC recently issued a report on consent which also recommended the retention of consent as a core principle, but recognized the need to take concrete steps to maintain its integrity. The OPC recommendations included using technological tools, developing more accessible privacy policies, adjusting the level of consent required to the risk of harm, creating no-go zones for the use of personal information, and enhancing privacy protection for children. ETHI’s rather soft recommendations on consent may be premised on an understanding that much of this work will go ahead without legislative change.

Among the minor adjustments to consent recommended by ETHI is that PIPEDA be amended to make opt-in consent the default for any use of personal information for secondary purposes. This means that while there might be opt-out consent for the basic services for which a consumer is contracting (in other words, if you provide your name and address for the delivery of an item, it can be assumed you are consenting to the use of the information for that purpose), consumers must agree to the collection, use or disclosure of their personal information for secondary or collateral purposes. ETHI’s recommendation also indicates that opt-in consent might eventually become the norm in all circumstances. Such a change may have some benefits. Opt out consent is invidious. Think of social media platform default settings that enable a high level of personal information sharing, leaving consumers to find and adjust these settings if they want greater protection for their privacy. An opt-in consent requirement might be particularly helpful in addressing such problems. Nevertheless, it will not be much use in the context of long, complex (and largely unread) privacy policies. Many such policies ask consumers to consent to a broad range of uses and disclosures of personal information, including secondary purposes described in the broadest of terms. A shift to opt-in consent will not help if agreeing to a standard set of unread terms amounts to opting-in.

ETHI also considered whether and how individuals should be able to revoke their consent to the collection, use or disclosure of their personal information. The issues are complex. ETHI gave the example of social media, where information shared by an individual might be further disseminated by many others, making it challenging to give effect to a revocation of consent. ETHI recommends that the government “study the issue of revocation of consent in order to clarify the form of revocation required and its legal and practical implications”.

ETHI also recommended that the government consider specific rules around consent for minors, as well as the collection, use and disclosure of their personal information. Kids use a wide range of technologies, but may be particularly vulnerable because of a limited awareness of their rights and recourses, as well as of the long-term impacts of personal information improvidently shared in their youth. The issues are complex and worthy of further study. It is important to note, however, that requiring parental consent is not an adequate solution if the basic framework for consent is not addressed. Parents themselves may struggle to understand the technologies and their implications and may be already overwhelmed by multiple long and complex privacy policies. The second part of the ETHI recommendation which speaks to specific rules around the collection, use and disclosure of the personal information of minors may be more helpful in addressing some of the challenges in this area. Just as we have banned some forms of advertising directed at children, we might also choose to ban some kinds of collection or uses of children’s personal information.

In terms of enhancing consent, these recommendations are thin on detail and do not provide a great deal of direction. They seem to be informed by a belief that a variety of initiatives to enhance consent through improved privacy policies (including technologically enhanced policies) may suffice. They are also influenced by concerns expressed by business about the importance of maintaining the ‘flexibility’ of the current regime. While there is much that is interesting elsewhere within the ETHI report, the discussion of consent feels incomplete and disappointing. Minor adjustments will not make a major difference.

Up next: One of the features of PIPEDA that has proven particularly challenging when it comes to consent is the ever-growing list of exceptions to the consent requirement. In my next post I will consider ETHI’s recommendations that would add to that list, and that also address ‘alternatives’ to consent.

Published in Privacy

The Office of the Privacy Commissioner of Canada has released its Draft Position on Online Reputation. It’s an important issue and one that is of great concern to many Canadians. In the Report, the OPC makes recommendations for legislative change and proposes other measures (education, for example) to better protect online reputation. However, the report has also generated considerable controversy for the position it has taken on how the Personal Information Protection and Electronic Documents Act currently applies in this context. In this post I will focus on the Commissioner’s expressed view that PIPEDA applies to search engine activities in a way that would allow Canadians to request the de-indexing of personal information from search engines, with the potential to complain to the Commissioner if these demands are not met.

PIPEDA applies to the collection, use and disclosure of personal information in the course of commercial activity. The Commissioner reasons, in this report, that search engines are engaged in commercial activity, even if search functions are free to consumers. An example is the placement of ads in search results. According to the Commissioner, because search engines can provide search results that contain (or lead to) personal information, these search engines are collecting, using and disclosing personal information in the course of commercial activity.

With all due respect, this view seems inconsistent with current case law. In 2010, the Federal Court in State Farm Mutual Automobile Insurance Co. v. Canada (Privacy Commissioner) ruled that an insurance company that collected personal information on behalf of an individual it was representing in a law suit was not collecting that information in the course of commercial activity. This was notwithstanding the fact that the insurance company was a commercial business. The Court was of the view that, at essence, the information was being collected on behalf of a private person (the defendant) so that he could defend a legal action (a private and non-commercial matter to which PIPEDA did not apply). Quite tellingly, at para 106, the court stated: “if the primary activity or conduct at hand, in this case the collection of evidence on a plaintiff by an individual defendant in order to mount a defence to a civil tort action, is not a commercial activity contemplated by PIPEDA, then that activity or conduct remains exempt from PIPEDA even if third parties are retained by an individual to carry out that activity or conduct on his or her behalf.”

The same reasoning applies to search engines. Yes, Google makes a lot of money, some of which comes from its search engine functions. However, the search engines are there for anyone to use, and the relevant activities, for the purposes of the application of PIPEDA, are those of the users. If a private individual carries out a Google search for his or her own purposes, that activity does not amount to the collection of personal information in the course of commercial activity. If a company does so for its commercial purposes, then that company – and not Google – will have to answer under PIPEDA for the collection, use or disclosure of that personal information. The view that Google is on the hook for all searches is not tenable. It is also problematic for the reasons set out by my colleague Michael Geist in his recent post.

I also note with some concern the way in which the “journalistic purposes” exception is treated in the Commissioner’s report. This exception is one of several designed to balance privacy with freedom of expression interests. In this context, the argument is that a search engine facilitates access to information, and is a tool used by anyone carrying out online research. This is true, and for the reasons set out above, PIPEDA does not apply unless that research is carried out in the course of commercial activities to which the statute would apply. Nevertheless, in discussing the exception, the Commissioner states:

Some have argued that search engines are nevertheless exempt from PIPEDA because they serve a journalistic or literary function. However, search engines do not distinguish between journalistic/literary material. They return content in search results regardless of whether it is journalistic or literary in nature. We are therefore not convinced that search engines are acting for “journalistic” or “literary” purposes, or at least not exclusively for such purposes as required by paragraph 4(2)(c).

What troubles me here is the statement that “search engines do not distinguish between journalistic and literary material”. They don’t need to. The nature of what is sought is not the issue. The issue is the purpose. If an individual uses Google in the course of non-commercial activity, PIPEDA does not apply. If a journalist uses Google for journalistic purposes, PIPEDA does not apply. The nature of the content that is searched is immaterial. The quote goes on to talk about whether search engines act for journalistic or literary purposes – that too is not the point. Search engines are tools. They are used by actors. It is the purposes of those actors that are material, and it is to those actors that PIPEDA will apply – if they are collecting, using or disclosing personal information in the course of commercial activity.

The Report is open for comment until April 19, 2018.

Published in Privacy

Note: The following are my speaking notes for my appearance on February 23, 2026 before the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI). ETHI is currently engaged in a review of PIPEDA. My colleague Dr. Florian Martin-Bariteau also appeared before the same committee. His remarks are found here.

Thank you for the invitation to meet with you today and to contribute to your study of the Personal Information Protection and Electronic Documents Act. I am a professor at the University of Ottawa, Faculty of Law, where I hold the Canada Research Chair in Information Law. I am appearing in my personal capacity.

We are facing a crisis of legitimacy when it comes to personal data protection in Canada. Every day there are new stories about data hacks and breaches, and about the surreptitious collection of personal information by devices in our homes and on our persons that are linked to the Internet of Things. There are stories about how big data profiling impacts the ability of individuals to get health insurance, obtain credit or find employment. There are also concerns about the extent to which state authorities access our personal information in the hands of private sector companies. PIPEDA, as it currently stands, is inadequate to meet these challenges

My comments are organized around the theme of transparency. Transparency is fundamentally important to data protection and it has always played an important role under PIPEDA. At a fundamental level, transparency means openness and accessibility. In the data protection context it means requiring organizations to be transparent about the collection, use and disclosure of personal information; and it means the Commissioner must be transparent about his oversight functions under the Act. I will also argue that it means that state actors (including law enforcement and national security organizations) must be more transparent about their access to and use of the vast stores of personal information in the hands of private sector organizations.

Under PIPEDA, transparency is at the heart of the consent-based data protection scheme. Transparency is central to the requirement for companies to make their privacy policies available to consumers, and to obtain consumer consent to collection, use or disclosure of personal information. Yet this type of transparency has come under significant pressure and has been substantially undermined by technological change on the one hand, and by piecemeal legislative amendment on the other.

The volume of information that is collected through our digital, mobile and online interactions is enormous, and its actual and potential uses are limitless. The Internet of Things means that more and more, the devices we have on our person and in our homes are collecting and transmitting information. They may even do so without our awareness, and often on a continuous basis. The result is that there are fewer clear and well-defined points or moments at which data collection takes place, making it difficult to say that notice has been provided and consent obtained in any meaningful way. In addition, the number of daily interactions and activities that involve data collection have multiplied beyond the point at which we are capable of reading and assessing each individual privacy policy. And, even if we did have the time, privacy policies are often so long, complex, and vague that reading them does not provide much of an idea of what is being collected and shared, with or by whom, or for what purposes.

In this context consent has become a joke, although unfortunately the joke is largely on the consumer. The only parties capable of saying that our current consent-based model still works are those that benefit from consumer resignation in the face of this ubiquitous data harvesting.

The Privacy Commissioner’s recent consultation process on consent identifies a number of possible strategies to address the failure of the current system. There is no quick or easy fix – no slight changing of wording that will address the problems around consent. This means that on the one hand, there need to be major changes in how organizations achieve meaningful transparency about their data collection, use and disclosure practices. There must also be a new approach to compliance that gives considerably more oversight and enforcement powers to the Commissioner. The two changes are inextricably linked. The broader public protection mandate of the Commissioner requires that he have necessary powers to take action in the public interest. The technological context in which we now find ourselves is so profoundly different from what it was when this legislation was enacted in 2001 that to talk of only minor adjustments to the legislation ignores the transformative impacts of big data and the Internet of Things.

A major reworking of PIPEDA may in any event be well be overdue, and it might have important benefits that go beyond addressing the problems with consent. I note that if one was asked to draft a statute as a performance art piece that evokes the problems with incomprehensible, convoluted and contorted privacy policies and their effective lack of transparency, then PIPEDA would be that statute. As unpopular as it might seem to suggest that it is time to redraft the legislation so that it no longer reads like the worst of all privacy policies, this is one thing that the committee should consider.

I make this recommendation in a context in which all those who collect, use or disclose personal information in the course of commercial activity – including a vast number of small businesses with limited access to experienced legal counsel – are expected to comply with the statute. In addition, the public ideally should have a fighting chance of reading this statute and understanding what it means in terms of the protection of their personal information and their rights of recourse. As it is currently drafted PIPEDA is a convoluted mishmash in which the normative principles are not found in the law itself, but are rather tacked on in a Schedule. To make matters worse, the meaning of some of the words in the Schedule, as well as the principles contained therein are modified by the statute so that it is not possible to fully understand rules and exceptions without engaging in a complex connect-the-dots exercise. After a series of piecemeal amendments, PIPEDA now consists in large part of a growing list of exceptions to the rules around collection, use or disclosure without consent. While the OPC has worked hard to make the legal principles in PIPEDA accessible to businesses and to individuals, the law itself is not accessible In a recent case involving an unrepresented applicant, Justice Roy of the Federal Court expressed the opinion that for a party to “misunderstand the scope of the Act is hardly surprising.”

I have already mentioned the piecemeal amendments to PIPEDA over the years as well as concerns over transparency. In this respect it is important to note that the statute has been amended so as to increase the number of exceptions to the consent that would otherwise be required for the collection, use or disclosure of personal information. For example, paragraphs 7(3)(d.1) and (d.2) were added in 2015, and permit organizations to share personal information between themselves for the purposes of investigating breaches of an agreement or actual or anticipated contraventions of the laws of Canada or a province, or to detect or supress fraud. These are important objectives, but I note that no transparency requirements were created in relation to these rather significant powers to share personal information without knowledge or consent. In particular, there is no requirement to notify the Commissioner of such sharing. The scope of these exceptions creates a significant transparency gap that undermines personal information protection. This should be fixed.

PIPEDA also contains exceptions that allow organizations to share personal information with government actors for law enforcement or national security purposes without notice or consent of the individual. These exceptions also lack transparency safeguards. Given the huge volume of highly detailed personal information, including location information that is now collected by private sector organizations, the lack of mandatory transparency requirements is a glaring privacy problem. The Department of Industry, Science and Economic Development has created a set of voluntary transparency guidelines for organizations that choose to disclose the number of requests they receive and how they deal with them. It is time for there to be mandatory transparency obligations around such disclosures, whether it be public reporting or reporting to the Commissioner, or a combination of both. It should also be by both public and private sector actors.

Another major change that is needed to enable PIPEDA to meet the contemporary data protection challenges relates to the powers of the Commissioner. When PIPEDA was enacted in 2001 it represented a fundamental change in how companies were to go about collecting, using and disclosing personal information. This major change was made with great delicacy; PIPEDA reflected an ombuds model which allowed for a light touch with an emphasis on facilitating and cajoling compliance rather than imposing and enforcing it. Sixteen years later and with exabytes of personal data under the proverbial bridge, it is past time for the Commissioner to be given a new set of tools in order to ensure an adequate level of protection for personal information in Canada.

First, the Commissioner should have the authority to impose fines on organizations in circumstances where there has been substantial or systemic non-compliance with privacy obligations. Properly calibrated, such fines can have an important deterrent effect, which is currently absent in PIPEDA. They also represent transparent moments of accountability that are important in maintaining public confidence in the data protection regime.

The toolbox should also include the power for the Commissioner to issue binding orders. I am sure that you are well aware that the Commissioners in Quebec, Alberta and British Columbia already have such powers. As it stands, the only route under PIPEDA to a binding order runs through the Federal Court, and then only after a complaint has passed through the Commissioner’s internal process. This is an overly long and complex route to an enforceable order, and it requires an investment of time and resources that places an unfair burden on individuals.

I note as well that PIPEDA currently does not provide any guidance as to damage awards. The Federal Court has been extremely conservative in damage awards for breaches of PIPEDA, and the amounts awarded are unlikely to have any deterrent effect other than to deter individuals who struggle to defend their personal privacy. Some attention should be paid to establishing parameters for non-pecuniary damages under PIPEDA. At the very least, these will assist unrepresented litigants in understanding the limits of any recourse available to them.

Thank you for your attention, and I welcome any questions.

Published in Privacy

Many Canadians are justifiably concerned that the vast amounts of information they share with private sector companies – simply by going about their day-to-day activities – may end up in the hands of law enforcement or national security officials without their knowledge or consent. The channels through which vast amounts of personal data can flow from private sector hands to law enforcement with little transparency or oversight can turn the companies we do business with into informers and make us unwittingly complicit in our own surveillance.

A recent Finding of the Office of the Privacy Commissioner of Canada (OPC) illustrates how the law governing the treatment of our personal information in the hands of the private sector has been adapted to the needs of the surveillance state in ways that create headaches for businesses and their customers alike. The Finding, which posted on the OPC site in November 2016 attempts to unravel a tangle of statutory provisions that should not have to be read by anyone making less than $300 per hour.

Basically, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how personal information is collected, used and disclosed by private sector organizations at the federal level and in all provinces that do not have their own equivalent statutes (only Quebec, B.C. and Alberta do). One of the core principles of this statute is the right of access to one’s personal information. This means that individuals may ask to be informed about the existence, use and disclosure of their personal information in the hands of an organization. They must also be given access to that information on request. Without the right of access it would be difficult for us to find out whether an organization was in compliance with its privacy policies. The right of access also allows us to verify and request correction of any erroneous information.

Another core principle of PIPEDA is consent. This means that information about us should not be collected, used or disclosed without our consent. The consent principle is meant to give us some control over our personal information (although there are huge challenges in this age of overly-long, vague, and jargon-laden privacy policies).

The hunger for our personal information on the part of law enforcement and national security officials (check out these Telco transparency reports here, here and here) has led to a significant curtailment of both the principles of access and of consent. The law is riddled with exceptions that permit private sector companies to disclose our personal information to state authorities in a range of situations without our knowledge or consent, with or without a warrant or court order. Other exceptions allow these disclosures to be hidden from us if we make access requests. What this means is that, in some circumstances, organizations that have disclosed an individual’s information to state authorities, and that later receive an access request from the individual seeking to know if their information has been disclosed to a third party, must contact the state authority to see if they are permitted to reveal that information has been shared. If the state authority objects, then the individual is not told of the disclosure.

The PIPEDA Report of Findings No. 2016-008 follows a complaint by an individual who contacted her telecommunications company and requested access to her personal information in the hands of that company. Part of the request was for “any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies.” (at para 4). She received a reply from the Telco to the effect that it was “fully in compliance with subsections 9(2.1), (2.2), (2.3) and (2.4) of [PIPEDA].” (at para 5) In case that response was insufficiently obscure, the Telco also provided the wording of the subsections in question. The individual complained to the Office of the Privacy Commissioner (OPC).

The OPC decision makes it clear that the exceptions to the access principle place both the individual and the organization in a difficult spot. Basically, an organization that has disclosed information to state authorities without the individual’s knowledge or consent, and that receives an access request regarding this disclosure, must check with the relevant state authority to see if they have any objection to the disclosure of information about the disclosure. The state authorities can object if the disclosure of the disclosure would pose a threat to national security, national defence or the conduct of international affairs, or would adversely impact investigations into money laundering or terrorist financing. Beyond that, the state authorities can also object if disclosure would adversely impact “the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law, or the gathering of intelligence for the purpose of enforcing any such law.” If the state authorities object, then the organization may not disclose the requested information to the individual, nor can they disclose that they contacted the state authorities about the request, or that the authorities objected to any disclosure. In the interests of having a modicum of transparency, the organization must inform the Privacy Commissioner of the situation.

The situation is complex enough that in its finding, the OPC produced a helpful chart to guide organizations through the whole process. The chart can be found in the Finding.

In this case, the Telco justified its response to the complainant by explaining that if pushed further by a customer about disclosures, it would provide additional information, but even this additional information would be necessarily obscure. The Commissioner found that the Telco’s approach was not compliant with the law, but acknowledged that compliance with the law could mean that a determined applicant, by virtue of repeated requests over time, could come up with a pattern of responses that might lead them to infer whether information was actually disclosed, and whether the state authority objected to the disclosure. This is perhaps not what Parliament intended, but it does seem to follow from a reading of the statute.

As a result of the complaint, the Telco agreed to change its responses to access requests to conform to the requirements outlined in the table above.

It may well be that this kind of information-sharing offers some, perhaps significant, benefits to society, and that sharing information about information sharing could, in some circumstances, be harmful to investigations. The problem is that protections for privacy – including appropriate oversight and limitations – have not kept pace with the technologies that have turned private sector companies into massive warehouses of information about every detail of our lives and activities. The breakdown of consent means that we have little practical control over what is collected, and rampant information sharing means that our information may be in the hands of many more companies than those with which we actively do business. The imbalance is staggering, as is the risk of abuse. The ongoing review of PIPEDA must address these gaps issues – although there are also risks that it will result in the addition of more exceptions from the principles of access and consent.

 

 

 

 

Published in Privacy

The Supreme Court of Canada has issued a relatively rare decision on the interpretation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Although it involves fairly technical facts that are quite specific to the banking and mortgage context, the broader significance of the case lies in the Court’s approach to implied consent under PIPEDA.

The case arose in the context of the Royal Bank of Canada’s (RBC) attempt to obtain a mortgage discharge statement for property owned by two individuals (the Trangs), who defaulted on a loan advanced by the bank. The mortgage was registered against a property in Toronto, on which Scotiabank held the first mortgage. In order to recover the money owed to it, RBC sought a judicial sale of the property, but the sheriff would not carry out the sale without the mortgage discharge statement. Scotiabank refused to provide this statement to RBC on the basis that it contained the Trangs’ personal information and it could therefore not be disclosed to RBC without the Trangs’ consent.

PIPEDA allows for the disclosure of personal information without consent in a number of different circumstances. Three of these, raised by lawyers for RBC, include where it is for the purpose of collecting a debt owed by the individual to the organization; where the disclosure is required by a court order; and where the disclosure is required by law. Ultimately, the Court only considered the second of these exceptions. Because Scotiabank refused to disclose the discharge statement, RBC had applied to a court for a court order that would enable disclosure without consent. However, it found itself caught in a procedural loop – it seemed to be asking the court to order disclosure on the basis of a court order which the court had yet to grant. Although the Court of Appeal had found the court order exception to be inapplicable because of this circularity, the Supreme Court of Canada swept aside these objections in favour of a more pragmatic approach. Justice Côté found that the court had the power to make an order and felt that an order was appropriate in the circumstances. She ruled that it would be “overly formalistic and detrimental to access to justice” to require RBC to reformulate its request for a court order in a new proceeding.

Although this would have been enough to decide the matter, Justice Côté, for the unanimous court, went on to find that the Trangs had given implied consent to the disclosure of the mortgage statement in any event. Under PIPEDA, consent can be implied in some circumstances. Express consent is generally required where information is sensitive in nature. Acknowledging that financial information is generally considered highly sensitive, Justice Côté nevertheless found that in this case the mortgage discharge statement was less sensitive in nature. She stated that “the degree of sensitivity of specific financial information is a contextual determination.” (at para 36) Here, the context included the fact that a great deal of mortgage-related financial information is already in the public domain by virtue of the Land Titles Registry, which includes details such as the amount of a mortgage recorded against the property, the interest rate, payment periods and due date. Although the balance left owing on a mortgage is not provided in the Registry, it can still be roughly calculated by anyone interested in doing so. Justice Côté characterized the current balance of a mortgage as “a snapshot at a point in time in the life of a publicly disclosed mortgage.” (at para 39)

Justice Côté’s implied consent analysis was also affected by other contextual considerations. These included the fact that the party seeking disclosure of the discharge statement had an interest in it; as a creditor, it was relevant to them. According to the Court, the reasonable expectations of the individual with respect to the sensitivity of any information must be assessed in “the whole context” so as not to “unduly prioritize privacy interests over the legitimate business concerns that PIPEDA was also designed to reflect”. (at para 44) The fact that other creditors have a legitimate business interest in the information in a mortgage disclosure statement is “a relevant part of the context which informs the reasonable expectation of privacy.” (at para 45) In this regard, Justice Côté observed that the identity of the party seeking disclosure of the information and the reason for which they are seeking disclosure are relevant considerations. She noted that “[d]isclosure to a person who requires the information to exercise an established legal right is clearly different from disclosure to a person who is merely curious or seeks the information for nefarious purposes.” (at para 46)

Justice Côté also found that the reasonable mortgagor in the position of the Trangs would be aware of the public nature of the details of their mortgage, and would be aware as well that if they defaulted on either their mortgage or their loan with RBC, their mortgaged property could be seized and sold. They would also be aware that a judgment creditor would have a “legal right to obtain disclosure of the mortgage discharge statement through examination or by bringing a motion.” (at para 47)

It seems that it is the fact that RBC could ultimately legally get access to the mortgage discharge statement, viewed within the broader context that drives the Court to find that there is an implied consent to the disclosure of this information – even absent a court order. The Court’s finding of implied consent is nevertheless limited to this context; it would not be reasonable for a bank to disclose a mortgage discharge statement to anyone other than a person with a legal interest in the property to which the mortgage relates. The Court’s reasoning seems to be that since RBC is ultimately entitled to get this information and has legal means at its disposal to get the information, then the Trangs can be considered to have consented to the information being shared.

Pragmatism is often a good thing, and it is easy to be sympathetic to the Court’s desire to not create expensive legal hurdles to achieve inevitable ends in transactions that are relatively commonplace. It should be noted, however, that the same result could have been achieved by the addition of a clause in the mortgage documents that would effectively obtain the consent of any mortgagor to disclosures of this kind and in those circumstances. No doubt after the earlier decisions in this case and in the related Citi Cards Canada Inc. v. Pleasance, banks had already taken steps to address this in their mortgage documents. One of the reasons for having privacy policies is to require institutions to explain to their customers what personal information is collected, how it will be used, and in what circumstances it will be disclosed. While it is true that few people read such privacy policies, they are at least there for those who choose to do so. Nobody reads implied terms because they are… well, implied. Implied consent works where certain uses or disclosures are relatively obvious. In more complicated transactions implied consent should be sparingly relied upon.

It will be interesting to see what impact the Court’s judicial eye roll to the facts of this case will have in other circumstances where consent to disclosure is an issue. The Court is cautious enough in its contextual approach that it may not lead to a dangerous undermining of consent. Nevertheless, there is a risk that the almost exasperated pragmatism of the decision may cause a more general relaxation around consent.

Published in Privacy

The department formerly known as Industry Canada (now Innovation, Science and Economic Development or ISED) has just released a discussion paper that seeks public input on the regulations that will accompany the new data breach notification requirements in the Personal Information Protection and Electronic Documents Act (PIPEDA).

The need to require private sector organizations in Canada to report data breaches was first formally identified in the initial review of PIPEDA carried out in 2007. The amendments to the statute were finally passed into law in June of 2015, but they will not take effect until regulations are enacted that provide additional structure to the notification requirements. The discussion paper seeks public input prior to drafting and publishing regulations for comment and feedback, so please stop holding your breath. It will still take a while before mandatory data breach notification requirements are in place in Canada.

The new amendments to the legislation make it mandatory for organizations to report data breaches to the Privacy Commissioner if those breaches pose “a real risk of significant harm to an individual”. (s. 10.1) An organization must also notify any individuals for whom the breach poses “a real risk of significant harm (s. 10.1(3). The form and contents of these notifications remain to be established by the regulations. A new s. 10.2 of PIPEDA will also require an organization that has suffered a reportable breach to notify any other organization or government institution of the breach if doing so may reduce the risk of harm. For example, such notifications might include ones to credit reporting agencies or law enforcement officials. The circumstances which trigger this secondary notification obligation remain to be fleshed out in the regulations. Finally, a new s. 10.3 of PIPEDA will require organizations to keep records of all data breaches not just those that reach the threshold for reporting to the Privacy Commissioner. In theory these records might enable organizations to detect flaws in their security practices. They may also be requested by the Commissioner, providing potential for oversight of data security at organizations. The content of these records remains to be determined by the new regulations.

From the above, it is clear that the regulations that will support these statutory data breach reporting requirements are fundamentally important in setting its parameters. The ISED discussion paper articulates a series of questions relating to the content of the regulations on which it seeks public input. The questions relate to how to determine when there is a “real risk of significant harm to an individual”; the form and content of the notification that is provided to the Commissioner by an organization that has experienced a breach; the form, manner and content of notification provided to individuals; the circumstances in which an organization that has experienced a breach must notify other organizations; and the form and content or records kept by organizations, as well as the period of time that these records must be retained.

There is certain that ISED will receive many submissions from organizations that are understandably concerned about the impact that these regulations may have on their operations and legal obligations. Consumer and public interest advocacy groups will undoubtedly make submissions from a consumer perspective. Individuals are also welcome contribute to the discussion. Some questions are particularly relevant to how individuals will experience data breach notification. For example, if an organization experiences a breach that affects your personal information and that poses a real risk of harm, how would you like to receive your notification? By telephone? By mail? By email? And what information would you like to receive in the notification? What level of detail about the breach would you like to have? Do you want to be notified of measures you can take to protect yourself? Do you want to know what steps the organization has taken and will take to protect you?

Anyone with an interest in this issue, whether personally or on behalf of a group or an organization has until May 31, 2016 to provide written submission to This e-mail address is being protected from spambots. You need JavaScript enabled to view it . The discussion paper and questions can be found here.

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law