Invasion of Privacy tort continues to develop

In Ontario, conventional wisdom was that invasion of privacy was not something you could sue for.  But that is changing, as evidenced by a just released decision of the Ontario Superior Court of Justice called Jane Doe 464533. That decision awarded damages and costs totaling $141,000, plus an order for the defendant to destroy any video or images he may still have, never to share any intimate images of the plaintiff, and to not communicate with the plaintiff or her family. A pdf version of the decision is here: Doe – redacted

Until this decision, the first case of a successful tort action for invasion of privacy was Jones and Tsige.  The tort in that case was called intrusion upon seclusion, and basically applies only to nosy neighbour cases.  In other words, where an individual accesses personal information on someone for nothing more than curiosity.  The damages for that are capped to such an extent that in practice it probably isn’t worth taking it to court.

Some privacy class actions have been started since then, which would require an expansion of current law to succeed, but none have reached trial.

In the Jane Doe case the defendant was a former boyfriend of the plaintiff who convinced her to take an intimate video of herself, promising that he would not show it to anyone. But of course he posted it online. That lead to severe emotional distress for the plaintiff.

While the decision is ground breaking, there is a caveat to it.  The defendant did not file a statement of defence, and this decision was based on a motion for default judgment.  So while the decision is well reasoned, there was no contrary position presented. This issue will eventually make it to an appeal court in another case to settle the law.

This decision will no doubt be analysed and cited by anyone attempting to sue for a privacy breach, or seeking a remedy for cyberbullying or revenge porn.

Cross-posted to Slaw

11 things you should know about privacy

top legal issues for tech bus

Privacy laws apply to every business that knows any information about individuals.

Here are 11 things you should know about privacy.

  1. There are many privacy statutes that may apply depending on the nature of the information, the nature of your business, and what province your customers are in. Health information, for example, is usually subject to different statutes than other personal information.
  2. In general, if you want to use someone’s personal information for something they would not think is necessary to provide your services, you need their permission.
  3. Mandatory breach notification is becoming more common. Some provincial statutes require it, PIPEDA now includes breach notification provisions that are coming into effect soon.  The notice requirements include some rather subjective tests, and must be reviewed carefully if you have a privacy breach.
  4. The definition of personal information is fairly broad. It includes things like an IP address, and depending on the jurisdiction, may include car license plates.
  5. You need to have a privacy policy that clearly describes what you collect and what you do with personal information. The nature and complexity of that policy will vary depending on the nature of your business, the nature of the information, and what you want to do with the personal information.
  6. You must have a privacy officer who is accountable and available to your customers.
  7. A privacy policy should cover your organization as a whole, not just your web site or one product.
  8. A privacy audit may be in order. Make sure you understand what information you actually do collect, use and disclose.  A disconnect between reality and what your policy says is a recipe for disaster.
  9. Privacy, anti-spam legislation (CASL), and Don Not Call legislation complement each other, work together, and shouldn’t be viewed in isolation.
  10. Some privacy laws (in particular some provincial laws dealing with public sector or health information) say that data can’t reside outside of Canada.
  11. Having processes and protections in place to keep personal information out of the wrong hands is crucial. It is equally crucial to deal with a privacy breach appropriately to reduce legal, customer, and headline risk.

Digital Privacy Act amends PIPEDA

Several amendments were made last week to PIPEDA, the federal private sector privacy legislation.   This has been sitting around in draft for a long time.  Except for sections creating a new mandatory breach notification scheme, the amendments are now in force.  The breach notification scheme requires some regulations before it comes into effect.  More on that at the end of this post.

Several of these changes were long overdue, and bring PIPEDA more in line with some of the Provincial Acts that were drafted after PIPEDA.

Here are some of the highlights that are in force now:

  • The business contact exception from the definition of personal information has been broadened.
  • Provisions have been added to allow the transfer of personal information to an acquiring business for both diligence and closing purposes. Most have been approaching this in a similar way, but vendors/purchasers, and their counsel should make sure they comply with the exact requirements.
  • A new section says consent is only valid if the individual would understand what they are consenting to.  This speaks to the clarity of the explanation, and is particularly important when dealing with children.
  • Several new exceptions to the collection, use and disclosure of personal information without consent have been added.  Such as witness statements, communication to next of kin of ill or deceased persons, and fraud prevention.
  • The Commissioner now has a compliance agreement remedy.

The breach notification sections that come into effect at a later date include:

  • Mandatory reporting to the Commissioner of a breach where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”  That test is somewhat subjective, and will no doubt cause some consternation in practice.  Guidance is included on relevant factors to consider and what constitutes “significant harm”.
  • The report must contain certain information and be on a form that will be in the regulations yet to be released.
  • Affected individuals must be similarly notified.
  • Businesses will be required to maintain records of “… every breach of security safeguards involving personal information under its control”, and provide a copy to the Commissioner on request. Note that this is “every” breach without regard to a harm threshold.  This could pose a challenging compliance issue for large organizations.
  • The whistleblowing provision has been amended to allow a complainant to “request” that their identity be kept confidential.
  • The section with the $100,000 fine for interfering with an investigation has been amended to make it an offence to contravene the reporting requirements.  That will make the decision of whether a breach passes the reporting threshold a serious matter to ponder.

Cross-posted to Slaw

Bill C-51 (Anti-Terrorist Act, 2015) passed by Senate despite massive opposition

Bill C-51 (Anti-Terrorist Act, 2015) has been passed by the Senate despite massive opposition against its privacy unfriendly invasive powers.  See, for example, commentary by the Canadian Civil Liberties Association, this article by security law professors entitled “Why Can’t Canada Get National Security Law Right“, and this post on .

Yet in the United States, the USA Freedom Act was just passed that pulled back a bit on the ability of the NSA to collect domestic data.

There seems to be no evidence that all this invasive spying and data collection actually reduces or prevents terrorism or crime.  The cost is enormous – both in terms of the direct cost of collecting, storing and analyzing it – and the costs to the economy.  A new report from the Information Technology and Innovation Foundation says that US companies will likely lose more than $35 billion in foreign business as a result of NSA operations.

And that’s not to mention the cost to civil liberties and privacy.  As many people have pointed out, 1984 was supposed to be a warning, not an instruction manual.

1984 warning

Cross-posted to Slaw

Happy Data Privacy Day

From the Privacy Commissioner of Canada: “On January 28, Canada, along with many countries around the world, will celebrate Data Privacy Day. Recognized by privacy professionals, corporations, government officials, academics and students around the world, Data Privacy Day highlights the impact that technology is having on our privacy rights and underlines the importance of valuing and protecting personal information.”

Privacy becomes increasingly challenging with new tech such as big data, the internet of things, wearable computers, drones, and government agencies recording massive amounts of data in the name of security.  Sober thought needs to go into balancing the advantages of such things with privacy rights, creating them in a privacy sensitive way, and giving people informed choices.

dpd_englishprivacy sample

Cross-posted to Slaw


Here’s how changes to PIPEDA would work

For the London Free Press – July 8, 2013 – Read this at

The Privacy Commissioner of Canada (OPC) recently released a report recommending reforms to the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA is the privacy legislation that governs private-sector privacy generally in Ontario and many other provinces.

The report noted that, “Ninety per cent of the data that exists in the world today has been created in the last two years,” and PIPEDA needs to evolve.

The report highlighted four recommendations.

1: Strengthen enforcement and encourage greater compliance

Statutory damages (meaning set damages without any requirement of proof) for certain contraventions of PIPEDA. The report cites the Copyright Act as a successful example of a statutory-damages regime.

Order-making powers to give the Commissioner the ability to issue a binding order to either enforce an action or prevent one from being committed. At present, the Commissioner can only recommend this type of action.

Administrative monetary penalties (AMPs) are suggested as a means of bringing organizations into compliance with PIPEDA. AMPs are similar to fines, but would be assessed directly by the Commissioner.

Why the OPC wants this: “It is legitimate to question how a small entity with limited resources, such as the OPC, can attract the attention of these companies and proactively encourage them to comply with PIPEDA when the reality is that there are very limited consequences for contravening Canadian privacy law.”

2: Shine a light on privacy breaches

Require organizations to report breaches of personal information to the Commissioner and to affected individuals.

Why the OPC wants this: Some organizations voluntarily report and inform individuals of privacy breaches. Some organizations do not. Those that do voluntarily report may face negative financial and reputational consequences while those that do not report may escape any form of recourse. This “creates an uneven playing field for organizations.”

3: Lift the veil on authorized disclosures

PIPEDA allows disclosure of personal information to a government institution without the knowledge or consent of the affected individual, upon request. Organizations may, but don’t always, challenge or refuse these requests. The OPC would require organizations to maintain a record of disclosures to government and make it publically available.

Why the OPC wants this: Canadians seeking access to their personal information would be able to find out if their information had been disclosed. There is no transparency or clear rules about what information can and should be provided to government institutions without a court order.

4: Walk the talk

Enforceable agreements would force an organization, at the end of a privacy investigation, to agree with the Commissioner’s recommendations and to comply within a set time period.

Make accountability provisions subject to review by the Federal Court.

Why the OPC wants this: Monitoring and analyzing a company’s actions are just as time-consuming as the Commissioner’s investigations.

Holistic strategy is better for privacy laws

For the London Free Press – May 6, 2013 – Read this at

There has been controversy in the United States in the last few weeks about their patchwork of privacy laws in contrast to the holistic approach favoured by Canada and the European Union. This matters as commerce and cloud services become more borderless.

The U.S. approach to privacy has been to enact laws that apply to narrow areas as problems are perceived, rather than to look at privacy as a broader subject to regulate.

For example, in 1988 the United States Congress passed the Video Privacy and Protection Act to prevent wrongful disclosure of videotape rental or sale records. Though such laws may be effective in the short term, they have a narrow focus, fail to address future technology and leave gaps. And the process to change existing laws is typically glacier slow.

Some privacy regulation is the U.S, isn’t based on privacy laws at all, but on regulatory action and class-action lawsuits based on notions such as the breach of a company’s privacy policy. In other words, the wrong was a breach of a privacy promise, not a breach of a legal privacy requirement.

In contrast, the Canadian and European model deals with privacy on a holistic basis. The holistic approach allows for existing privacy laws to adapt to new technologies rather than having to create new privacy laws in response to new technologies.

In any given Canadian province there are likely no more than two privacy statutes that apply to the private sector.

One applies to personal information generally, and there’s often a separate one that applies to medical records. This is a far more stable, all-encompassing and technology-neutral approach to privacy issues than the U.S. model.

Peter Fleischer, global privacy counsel at Google, recently commented on this issue and his desire to see the United States enact better privacy laws. He notes not a single country has followed the U.S. model.

Fleischer praises European privacy laws for their simplicity and warns if changes aren’t made to the U.S. approach “privacy will prove a serious roadblock to any such future trade back (with the European Union), as long as some people in Europe can argue that the U.S. has not-effective privacy laws.”

Fleischer provides the example of Uruguay that has looked to Spain. as opposed to the U.S., when drafting its recent privacy laws.

In the long run, the holistic approach is a far better and more effective model to protect privacy interests. The holistic approach makes it easier for businesses to understand their obligations and comply, easier for individuals to know where they stand, has less risk of leaving privacy gaps, and makes it easier to deal internationally when other countries require privacy protection as a condition of personal information crossing borders.

As the world continues to emerge from the global economic crisis and the trend toward global integration continues, Canada’s holistic privacy framework will help us take advantage of global opportunities while a less-effective framework could damage U.S. efforts.

Perspective is an important element of Privacy

Todays Slaw post:

One thing I find consistent about privacy issues is an inconsistency in approach and viewpoint.  What is and is not deemed acceptable seems to change dramatically based on several factors, including geographic location (which I suppose is really more of a cultural issue than a geographic one), whether it is about one’s own information or you are doing something with someone else’s information, and whether the party with the information is government or business.

Many times it comes down to issues of trust, understanding, surprise, and how public one wants their life to be.

An example is in this article entitled Eric Schmidt is using the same argument against drones that others use against Google Glass.

One of the most common concerns raised about Google Glass (other than looking like a nerd) is the potential for privacy invasion.  The more of these there are around, the more likely each one of us is going to be captured on the video they can take whether we like it or not. And where is all this video going to end up?  That issue has also been raised about drones.  Google’s Eric Schmidt has apparently stated that drones should be strictly regulated for privacy reasons, which seems inconsistent with their approach to Google Glass.

Perhaps one explanation for this could be that privacy in the United States is viewed differently than in Canada and other parts of the world.  In the US, privacy is not approached as a holistic discrete topic to be regulated by general principles.  Instead, it is regulated on a piecemeal basis, such as a privacy law that applies only to movie rentals.

Privacy Abuses and Leaks

Today’s Slaw post

Two current privacy stories are worth mentioning. First, see this CBC news article entitled Political parties operate outside Canada’s privacy laws. The controversy arises from an email sent by a Cabinet Minister to those who signed a petition.

Also see this article entitled Websites leaking customers’ personal info, says privacy watchdog and the PrivacyCommissioner’s news release. The issue here is the revelation by the Canadian Privacy Commissioner, Jennifer Stoddart, that 1 in 4 of the 25 websites her office looked at were passing on personal information of users to third party advertising and marketing firms without user consent.

Here is an infographic on web leakage provided by the Commissioner.

While on the surface, privacy issues can appear to be simple, there is often room for interpretation, and viewpoints can vary. Those accused of abusing privacy may not understand the issues, may not have educated employees on what they can and can’t do, or may be burying their heads in the sand because they don’t want to face that they may not be able to use personal information to their advantage without permission.

UPDATE: Sept 27 And see this article about an MP’s email exposing 1500 addresses.

Children and website privacy

Today’s Slaw post:

Last week Jennifer Stoddart, the Privacy Commissioner of Canada, spoke at an IT.Can teleconference about online behavioural advertising. Online behavioural advertising means tracking and targeting of individuals’ web activities, across sites and over time, in order to serve advertisements that are tailored to those individuals’ inferred interests. One point she made that I found interesting was about children.

Some countries have laws that specify how children under a certain age are to be treated online including what can be directed to them, and when parental consent is needed. That does not exist here.

The Commisioner’s approach is that if sites are aimed at children, then privacy disclosures and consents must be simple and clear and understandable by children. Which of course means that one should not be doing things with their personal information that requires consent if they are incapable of understanding and giving an informed consent. This approach is somewhat consistent with the approach to consent to health care treatment where children are able to give consent to many types of treatment on their own, provided they are capable of giving an informed consent.

The Commissioner also made it clear that children should not be tracked online, and thus behavioral advertising should not be directed to children.