For the London Free Press – March 5, 2012 – Read this on Canoe

The Ontario Court of Appeal just released its decision in Jones v Tsige, recognizing for the first time there is a tort of invasion of privacy in Ontario.

The gist of the facts in Jones was a bank employee looked up banking information about another bank employee who was in a common-law relationship with the defendant’s former husband. She looked at the information at least 170 times over four years, but didn’t publish, distribute or record it.

That was clearly contrary to bank policy and privacy legislation, and she was disciplined for it by the bank when it came to light.

The issue in this case was whether the victim could sue for damages. The Court of Appeal decided she could, awarding $10,000 in damages.

Until this decision, it was generally felt one couldn’t sue or collect damages for breach of privacy in Ontario.

Previous Ontario trial-level decisions concerning the existence of a tort of invasion of privacy were at best conflicting with the historic, if not conventional, view the tort of invasion of privacy did not exist.

The Jones decision stated that:

It is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.

“Intrusion upon seclusion” happens when one intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, in a situation where the invasion would be highly offensive to a reasonable person.

Leading up to this decision, a number of judges at the trial level had refused to strike out claims made under the tort of invasion of privacy at the pleadings stage, as they were unsure if the tort existed.

My Slaw post for today:

On average, the typical lawyer does not use cutting edge technology, and even if we do have the latest smartphone or tablet, we generally don’t push the envelope for its use. It is worthwhile though (at least for those of us who might be described as tech geeks) to think about how we might better use the tech we have now, and what might lie ahead. For example:

Microsoft announced in November a modified version of the Kinect that is designed to work with PC’s, rather than the XBox. So Minority Report like gesture control can now be used, for example, to control presnentations in a board room or conference hall.

The New York Times reported yesterday some speculation that Google might be working on Google glasses for sale later this year. The concept is that the glasses will provide a display to stream information to the wearer’s eyes. And its not just a display. It is rumoured to include data connections, sensors, a camera and GPS – essentially a smartphone in a pair of glasses. For a taste of what this might do, take a look at Google Goggles.

My Slaw post for today:

“What _____ do” seems to be the latest meme. As a break from the serious issues surrounding things like the lawful access bill, here are some that might resonate with Slaw readers.

That’s the title of my Slaw post for today.  It reads as follows.

With Parliament back in session, we are seeing more attention on the proposed “lawful access” legislation. There is good reason for that. Many of us believe the proposed legislation is an affront to privacy, and gives law enforcement overly intrusive rights without court supervision that will in practice be no more than expensive, invasive, privacy offensive security theatre.

In this CBC interview, Ann Cavoukian, the Ontario Privacy Commissioner, does an excellent job of explaining the issue. Well worth investing 7 minutes to watch.

That’s the title of my Slaw post for today.  It reads as follows.

Getting the privacy balance right is not easy, from both theoretical and practical perspectives. As examples, here are some recent developments that go both ways.

Pro Privacy

• Proposed Bill C-12 amendments to PIPEDA that would mandate privacy breach notification in certain circumstances.
• The Ontario Court of Appeal decision in Jones v Tsige that created a tort of breach of privacy, or “intrusion upon seclusion” for intentional, offensive privacy invasions.
• The US Supreme court decision in US v Jones that decided police need to get a warrant before attaching a GPS tracking device to a vehicle.

Anti Privacy

• Proposed Bill C-12 amendments to PIPEDA that encourage private entities to give personal information to law enforcement without warrants.
• Proposed “Lawful Access” legislation that allows police to obtain a significant amount of information about our mobile phone and internet accounts without a warrant, and would require ISP’s to retain certain information about us.
• The Supreme Court of Canada’s refusal to hear the appeal of the Leon’s case where the Alberta Court of Appeal said that license plates are not personal information.

That’s the title of my Slaw post for today.  It reads as follows.

Here are some of the sites that are going dark today, or changing their home pages in protest over the proposed US legislation. For more information on why this legislation is so bad, check out these sites, or search for “SOPA” on Slaw or Techdirt.com, or just Google it.

Wikipedia:

Boing Boing

WordPress

EFF

This is Google’s US site. Google’s Canadian homepage does not seem to be affected.

Michael Geist

That’s the title of my Slaw post for today.  It reads as follows.

As Connie mentioned, the annual Consumer Electronics Show is now underway in Las Vegas. The tech press is full of commentary on the latest and greatest things at the show. One trend is that everything is becoming more intelligent and more connected, ranging from TV’s to appliances.

That results in many great features and new capabilities. At the same time, a Washington Post article entitled Privacy rights activists worry about potential abuse of high-tech devices featured at CES event points out that we can’t forget about the privacy issues that comes along with this technology.

The article starts off by saying:

The thousands of devices debuting Tuesday at the Consumer Electronics Show here demonstrate how tech companies are poised to gather unprecedented insights into consumers’ lives — how much they eat, whether they exercise, when they are home and who they count as friends.

Silicon Valley is in a gold rush for information, highlighted by Google’s announcement Tuesday that it would incorporate data posted by users on its social networking service into the results of its main search engine.

Many of the companies providing this technology are certainly cognizant of the privacy issues, and will do the right things regarding use, disclosure and consent. But we can’t forget that we don’t all have the same sensibilities or thresholds for privacy issues. Some of us may indeed care about who our washing machine tells that our laundry is done, or who knows what the temperature is in our house.

This is an issue that we can’t just brush aside.

That’s the title of my Slaw post for today.  It reads as follows:

Pending legislation always makes good fodder for lawyers to comment on in annual predictions articles. The pending anti-spam legislation has resulted in several such comments.

In my predictions article scheduled for publication next week, I comment that:

The Federal anti-spam legislation that was expected to be in force in 2011 is still waiting for regulations to be passed before coming into force. The draft regulations received a lot of criticism, and may be revised prior to the Act coming into force. The Act will be a compliance headache for many organizations, unless the regulations effectively narrow the broad definition of Spam. The Act is intended to provide tools to stop what we all understand to be spam. But the Act defines spam to include e-mails that many businesses or charities routinely send that the recipients probably would not consider to be spam.

Michael Geist predicts that in July:

Nearly one year after proposing anti-spam regulations, the government unveils modified regulations and seeks further public comment before the law takes effect. The new regulations establish a series of new exceptions to the law consistent with the demands of several marketing groups.

Barry Sookman has written a detailed analysis entitled Will it be illegal to recommend a dentist under Canada’s new anti-spam law (CASL)? in which he suggests that the legislation may indeed be that overreaching. It is worth a read to get a flavour for how complex this can get, and what the unintended consequences may be.

This legislation and its pending regulations merit a close watch this year. While its intentions are good, I believe it has the potential to waste far more time, money and effort for businesses and charities attempting to comply, than it will save by the amount of real spam it might reduce. And I’m not sure whether appropriate regulations can temper it sufficiently.

Another wrinkle is that the Supreme Court of Canada’s December decision that said the proposed Canadian Securities Act was not within the legislative authority of Parliament has some wondering if the same fate might be in store for parts of the anti-spam legislation.

That’s the title of my Slaw post for today.  It reads as follows.

Ann Cavoukian – the Ontario Privacy Commissioner – has written an excellent op-ed in the Financial Post entitled Beware of ‘Surveillance by Design’.

It starts off with:

I feel the need to raise a growing concern regarding the lack of understanding of a key privacy issue – the ease of data linkages in an ever-increasing online world.

In this day and age of 24/7 online expanded connectivity and immediate access to digitized information, new analytic tools and algorithms now make it possible, not only to link a number with a name, but also to combine information from multiple sources, ultimately creating an accurate profile of a personally identifiable individual.

The Commissioner weighs in on the controversial Alberta Leon’s case that decided license plates are not personal information – which differs from other provinces.

She also expresses her concerns about the pending federal “lawful access” laws, saying that:

In my view, this represents a looming system of “surveillance by design,” that should concern us all in a free and democratic society.

That’s the title of my Slaw post for today.  It reads as follows.

Several amendments are proposed to PIPEDA, (Bill C-12) the federal private sector privacy legislation. It is sitting now at first reading stage, and we are not yet sure how long it will be before it is passed.

This post summarizes an IT.Can teleconference on the subject presented today by David Fraser of McInnes Cooper and Lisa Lifshitz of Gowling Lafleur Henderson LLP.

The definition of personal information has been changed slightly. It is now simply defined as: “information about an identifiable individual”. Along with that comes a new definition of “business contact information”, which expands the “business card” exception that does not now include e-mail address. It also adds a requirement that the reason for the use or disclosure of business contact information be “in relation to their employment, business or profession”.

A new section 6.1 clarifies “valid consent” in terms of the need for the individual to understand what they are consenting to – including the nature, purpose and consequences. This may lead to some practical challenges in how to communicate that effectively – particularly “consequences”.

It will add mandatory breach notifications in certain situations, the provisions for which are very detailed.

Material breaches of “security safeguards” must be reported to the Privacy Commissioner.

Notifications must be made to individuals involved if the breach could lead to a “real risk of significant harm to the individual”.

There is also a 3^rd possible notification to a third party organization if that organization could reduce the risk of harm. It is unclear who that might be.

It adds a business transactions exemption, which is long overdue. Most practitioners have proceeded as if these amendments were already there.

It includes a broad definition of “business transaction” (business sale, merger, financing…), and allows personal information to be transferred without consent, provided that certain safeguards are complied with. These rules do not apply if the primary purpose of the transaction is the disposition of the personal information. If that is the case (such as the sale of a customer list), then the basic PIPEDA requirements come into play.

PIPEDA has the concept that information can be given to “investigative bodies” as approved by regulation. That concept will be removed, and replaced with a more flexible arrangement that allows disclosure to another organization if “necessary” to investigate a breach of an agreement or law, or to prevent, detect or suppress fraud.