Teresa Scassa - Blog

Displaying items by tag: Privacy

Ongoing litigation in Canada over the recovery by provincial governments of health care costs related to tobacco use continues to raise interesting issues about the intersection of privacy, civil procedure, and big data analytics. A March 7 2019 decision by the New Brunswick Court of Queen’s Bench (Her Majesty the Queen v. Rothmans Inc.) picks up the threads left hanging by the rather muted decision of the Supreme Court of Canada in The Queen v. Philip Morris International Inc.

The litigation before the Supreme Court of Canada arose from the BC government’s attempt to recover tobacco-related health care costs in that province. The central issue concerned the degree of access to be provided to one of the big tobacco defendants, Philip Morris International (PMI), to the databases relied upon by the province to calculate tobacco-related health care costs. PMI wanted access to the databases in order to develop its own experts’ opinions on the nature and extent of these costs, and to challenge the opinions to be provided by provincial experts who would have full access to the databases. Although the databases contained aggregate, de-identified data, the government denied access, citing the privacy interests of British Columbians in their health care data. As a compromise, they offered limited and supervised access to the databases at Statistics Canada Research Data Centre. While the other tobacco company defendants accepted this compromise, PMI did not, and sought a court order granting it full access.

The Supreme Court of Canada’s decision was a narrow one. It interpreted the applicable legislation as making health care records and documents of individuals non-compellable in litigation for recovery of costs based on aggregate health care data. The Court considered the health databases to be “records” and “documents” and therefore not compellable. However, their decision touched only on the issue of whether PMI was entitled to access the databases to allow its own experts to prepare opinions. The Court did not address whether a defendant would be entitled to access the databases in order to challenge the plaintiff’s expert’s report that was created using the database information. Justice Brown, who wrote for the unanimous Court stated: “To be clear, the databases will be compellable once "relied on by an expert witness": s. 2(5)(b). A "statistically meaningful sample" of the databases, once anonymized, may also be compelled on a successful application under ss. 2(5)(d) and 2(5) (e).” (at para 36) In response to concerns about trial fairness, Justice Brown noted the early stage of the litigation, and stated that: “Within the Act, the Legislature has provided a number of mechanisms through which trial fairness may be preserved. Specifically, s. 2(5)(b) itself requires that any document relied upon by an expert witness be produced.” (at para 34) He also observed that:

 

[Section] 2(5)(d) permits a court, on application, to order discovery of a "statistically meaningful sample" of any of the records and documents that are otherwise protected by s. 2(5)(b). No defendant has yet made such an application and thus no court has yet had reason to consider what would constitute a "statistically meaningful sample" of the protected documents. (at para 35)

The Supreme Court of Canada therefore essentially laid the groundwork for the motions brought to the New Brunswick Court of Queen’s Bench under essentially similar legislation. Section 2 of New Brunswick’s Tobacco Damages and Health Care Costs Recovery Act is more or less identical to the provisions considered by the Supreme Court of Canada. Sections 2(5)(d) and (e) of the Act provide:

2(5). . .

(b) the health care records and documents of particular individual insured persons or the documents relating to the provision of health care benefits for particular individual insured persons are not compellable except as provided under a rule of law, practice or procedure that requires the production of documents relied on by an expert witness,

. . .

(d) notwithstanding paragraphs (b) and (c), on application by a defendant, the court may order discovery of a statistically meaningful sample of the documents referred to in paragraph (b) and the order shall include directions concerning the nature, level of detail and type of information to be disclosed, and

(e) if an order is made under paragraph (d), the identity of particular individual insured persons shall not be disclosed and all identifiers that disclose or may be used to trace the names or identities of any particular individual insured persons shall be deleted from any documents before the documents are disclosed.

Thus, the provisions allow for discovery of documents relied upon by the government, subject to an obligation to deidentify them.

An expert witness for the Province of New Brunswick had produced several reports relying on provincial health care data. The province maintained that for privacy reasons the defendant should not have direct access to the data, even though it was deidentified in the database. It offered instead to provide recourse through a Statistics Canada Research Data Centre. The defendant sought “a "statistically meaningful sample" of clinical health care records concerning 1,273 individual insured persons in New Brunswick, under the authority of subsections 2(5)(d) and (e) of the Act.” (at para 2) It also sought a production order for “all Provincial administrative databases and national survey data” that was relied upon by the Province’s expert witness in preparing his reports. In addition, they sought access to data from other provincial health databases that were not relied upon by the expert in his report – the defendant was interested in assessing the approaches he chose not to pursue in addition to those he actually pursued. The province argued that it had provided sufficient access to relevant data through the Statistics Canada RDC, which implemented appropriate safeguards to protect privacy.

Justice Petrie first considered whether the access via Statistics Canada was adequate and he concluded that it was not. He noted that one of the other defendants in the litigation had filed an access to information request with Statistics Canada and had thereby learned of some of the work carried out by the province’s expert witness, including some “calculations and analysis” that he had chosen not to rely upon in his work. While the defendants were not prejudiced by this disclosure, they used it as an example of a flaw in the system administered by Stats Canada since its obligations under the Access to Information Act had led to the disclosure of confidential and privileged information. They argued that they could be prejudiced in their own work through Stats Canada by access to information requests from any number of entities with interests adverse to theirs, including other provincial governments. Justice Petrie sided with the defendants. He found that: “the Province's production of the data and materials relied upon by Dr. Harrison only within the confines and authority of a third party to this litigation, StatsCan/RDC poses a real risk to the confidentiality and privilege that must be accorded to the defendants and their experts.” (at para 66) He also stated:

 

The risk of potential premature or inadvertent disclosure, as determined by StatsCan, presents an unfair obstacle to the defendants' experts if required to undertake their analysis only within StatsCan/RDC. In short, the StatsCan Agreement terms and conditions are overly restrictive and likely pose a serious risk to trial fairness. I am of the view that less restrictive options are available to the Court and ones that more fairly balance trial fairness with the risks to any privacy breach for individual New Brunswickers. (at para 65)

These less restrictive options stem from the Courts own power to “provide for directions on production and to protect the personal and sensitive information of individuals.” (at para 68) Justice Petrie found that “there are no applicable restrictions under privacy legislation to prohibit the Court from ordering document production outside of the StatsCan/RDC in the circumstances.” (at para 72) He rejected arguments that the Statistics Act prevented such disclosures, ruling that custody and control over the health data remained shared between the province and Stats Canada, and that the court could order the province to disclose it. Further, it found:

 

Where, as here, the Province has served the defendants with five expert reports of Dr. Harrison and indicated their intention to call him as a witness at trial, I find that subsection 2(5)(b) of the Act expressly requires production of the materials "relied upon" by the expert in the ordinary course. I am confident that the Court is capable of fashioning an order which would adequately address any privacy or reidentification concerns while, at the same time, imposing more balanced measures on the defendants and/or their experts. (at para 82)

These measures could include a direction by the court that no party attempt to identify specific individuals from the deidentified data.

On the issue of the disclosure of a statistically significant sample of health records, the defendant sought a sample from over 1200 New Brunswick patients. The legislation specifically provides in s. 2(5)(d) that a court may order discovery of a statistically meaningful sample of the documents”, so long as they are deidentified. Justice Petrie found that there was a statutory basis for making this order, so long as privacy could be preserved. He rejected the province’s argument that the only way to do this was through the Stats Canada RDC. Instead, he relied upon the court’s own powers to tailor orders to the circumstances. He stated: “I am of the view that there is a satisfactory alternative to the StatsCan/RDC Agreement on terms that can allow for any re-identification risks to be properly addressed by way of a consent order preferably, and if not, by way of further submissions and ruling of this Court.” (at para 131)

On the issue of privacy and the deidentified records in the statistically significant sample, Justice Petrie stated:

 

Even if individuals might be able to be re-identified, which I am not convinced, it is not clear why the defendants would ever do so. [. . .] With respect to this request for an individual's personal health records, the Province has suggested no other alternative to such a sample, nor any alternative to the suggested approach on "anonymization" of the information. (at para 141)

He granted the orders requested by the defendants and required the parties to come to terms on a consent order to protect privacy in a manner consistent with his reasons.

This decision raises issues that are more interesting than those that were before the Supreme Court of Canada, mainly because the court is required in this case to specifically address the balance between privacy and fairness in litigation. The relevant legislation clearly does not require defendants to accept the plaintiff’s analyses of health data at face value; they are entitled to conduct their own analyses to test the plaintiff’s evidence, and they are permitted to do so using the data directly and not through some intermediary. While this means that sensitive health data, although anonymized, will be in the hands of the defendant tobacco companies, the court is confident that the rules of the litigation process, including the implied undertaking rule and the power of the court to set limits on parties’ conduct will be sufficient to protect privacy. Although this court seems to believe that reidentification is not likely to be possible (a view that is certainly open to challenge), even if it were possible, direction from the court that no analyses designed to permit identification will take place, is considered sufficient.

Published in Privacy

(This post is admittedly on the long side - if you have read the case and all you want are my thoughts on the difference between majority and minority opinions, feel free to skip to "Concluding thoughts" at the end.)

On February 14, 2019 the Supreme Court of Canada released its long-awaited decision in R. v. Jarvis, a case in which a high school teacher was prosecuted for voyeurism after he used a pen camera to make multiple recordings of female students’ cleavage while he talked to them in hallways or labs at school. Jarvis was acquitted at trial on the basis that the judge was not persuaded beyond a reasonable doubt that the recordings were for a sexual purpose, which was an element of the crime. The Ontario Court of Appeal found that the recordings were for a sexual purpose, but they upheld the acquittal on the basis that the students had no reasonable expectation of privacy at school. (My post on the ONCA decision is here).

The only issue before the Supreme Court of Canada (SCC) was “whether the Court of Appeal erred in finding that the students recorded by Mr. Jarvis were not in circumstances that give rise to a reasonable expectation of privacy for the purposes of s. 162(1) of the Criminal Code.” (at para 4). The SCC ruled unanimously that the students had a reasonable expectation of privacy and that a conviction should be entered in the case. However, the Court split on how they reached that conclusion. Six judges opted for a contextual approach to the reasonable expectation of privacy that set out a non-exhaustive list of nine considerations to take into account in determining whether a person has been observed or recorded in circumstances giving rise to an expectation of privacy. In reaching this interpretation, these judges relied in part on ‘reasonable expectation of privacy’ jurisprudence developed by the Court under s. 8 of the Charter. The three minority judges rejected the use of privacy jurisprudence developed in the criminal context, where the interests of the state are pitted against those of the individual. They also disagreed with the majority’s list of factors to consider in assessing a reasonable expectation of privacy. The minority would have kept only those four of the nine factors that could be linked to elements of the offence in s. 162(1).

The importance of this decision lies in the contextual approach taken by the majority to the reasonable expectation of privacy. This approach moves us away from the troubling dichotomy between public and private space which seems to inform the decision of the majority of the Court of Appeal. While the location of the person who is being subject to observation or recording is one of the factors to take into account, it is only one of them. Similarly, awareness of or consent to potential observation or recording is only a consideration and is not on its own determinative. The contextual approach also permits consideration of the relationship between the parties.

In this case, Jarvis had been charged with the crime of voyeurism under s. 162(1) of the Criminal Code. It is useful to reproduce the relevant parts of this provision:

162 (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if

[. . . ]

(c) the observation or recording is done for a sexual purpose.

For there to be a conviction, Jarvis’ recordings would have to have been of students “in circumstances that give rise to a reasonable expectation of privacy.” The recordings were made when Jarvis engaged individual students or small groups of students in conversation in the school’s hallways or common areas.

The Majority’s approach to Interpretation

The majority’s interpretation of the phrase “circumstances that giver rise to a reasonable expectation of privacy” is important, particularly since the majority of the ONCA had focused predominantly on location in determining whether a reasonable expectation of privacy arose on the facts. The majority of the SCC had some important things to say on the issue of privacy in public space. While acknowledging that expectations of privacy “will generally be at their highest when a person is in a traditionally ‘private’ place from which she has chosen to exclude all others”, (at para 37), Chief Justice Wagner nonetheless affirmed that a person does not lose all expectation of privacy because she is in public. He stated: “a person may be in circumstances where she can expect to be the subject of certain types of observation or recording but not to be the subject of other types.” (at para 38) He continued: “being in a public or semi-public space does not automatically negate all expectations of privacy with respect to observations or recording”. (at para 41)

The Chief Justice noted that the wording of s. 162(1) also supported the view that a reasonable expectation of privacy was not tied to location. In the first place, that provision speaks of “circumstances” giving rise to a reasonable expectation of privacy. It identifies three possible situations, the first of which is tied to location (where a person is “in a place in which a person can reasonably be expected to be nude. . . or to be engaged in explicit sexual activity: s. 162(1)(a)). (at para 44) But paragraph 162(1)(c) merely refers to situations where “the observation or recording is done for sexual purposes. This latter provision contains no element of location.

The majority ruled that the jurisprudence developed under s. 8 of the Charter, which provides a right to be free from unreasonable search or seizure, could be used in interpreting the concept of “reasonable expectation of privacy”. This is a point on which the minority justices differed sharply. Section 8 of the Charter essentially provides an accused with what amounts to privacy protection from state intrusion. The concept of a “reasonable expectation of privacy” is a key element of a s. 8 analysis. However, as the majority notes, it is also a term used in other contexts – both civil and criminal. Interestingly, those civil contexts in which the phrase is used in Canadian legislation are predominantly found in relatively new statutes that provide tort recourse for the non-consensual distribution of intimate images. The phrase appears in legislation of this kind in Nova Scotia, Newfoundland, Alberta, Saskatchewan and Manitoba.

The majority noted that the Court’s s. 8 jurisprudence requires a contextual analysis of the reasonable expectation of privacy. Further, the case law teaches us that ‘privacy is not an ‘all-or-nothing’ concept and that “simply because a person is in circumstances where she does not expect complete privacy does not mean that she waives all reasonable expectations of privacy.” (at para 61) Privacy is differently affected by recordings than by passing observations. Further, the impact of new and emerging technologies needs to be carefully considered. It is possible that “technology may allow a person to see or hear more acutely, thereby transforming what is “reasonably expected and intended to be a private setting” into a setting that is not.” (at para 63). The majority also noted that “’reasonable expectation of privacy’ is a normative rather than a descriptive standard.” (at para 68). This means that a person’s expectation of privacy should not be determined simply on the basis of whether there is a risk that they might be observed or recorded. If this were the case, advances in technology would shrink reasonable expectations of privacy to nothingness. As a result, the majority framed the core question as “whether that person was in circumstances in which she would reasonably have expected not to be the subject of the observation or recording at issue.” (at para 70)

Applying the contextual approach

For the majority, the determination of whether a person was in “circumstances that give rise to a reasonable expectation of privacy” should be guided by a non-exhaustive list of contextual considerations. These considerations should include:

1. The location the person was in when she was observed or recorded

2. The nature of the impugned conduct, that is whether it consisted of observation or recording

3. Awareness of or consent to potential observation or recording.

4. The manner in which the observation or recording was done

5. The subject matter or content of the observation or recording

6. Any rules, regulations or policies that governed the observation or recording in question.

7. The relationship between the person who was observed or recorded and the person who did the observing or recording.

8. The purpose for which the observation or recording was done

9. The personal attributes of the person who was observed or recorded.

Applying these factors to the case before them, the majority noted that the videos were taken at school. The majority of the Court of Appeal had considered schools to be public places. However, the majority of the SCC found that schools are not entirely ‘public’ in nature. Access is restricted, and schools are “subject to formal rules and informal norms of behaviour, including with respect to visual recording, that may not exist in other quasi-public locations”. (at para 73). They noted that the young women were not merely observed, they were recorded – and they were unaware that recording was taking place. Although the ONCA had taken into account the fact that students were aware of continuous recording by security cameras in schools, the majority of the SCC ruled that “not all forms of recording are equally intrusive” and “there are profound differences between the effect on privacy resulting from the school’s security cameras and that resulting from Mr. Jarvis’ recordings” (at para 75). The majority found Jarvis’s recordings were “far more intrusive than casual observation, security camera surveillance or other types of observation or recording that would reasonably be expected by people in most public places, and in particular, by students in a school environment.”(at para 76).

In considering the content of the recordings, the majority noted that while the recordings were of students engaging in normal school activities, they focused close-up on their faces and breasts. The videos targeted specific students rather than capturing general scenes of school activity. The majority stated: “the videos do not show students merging into the “situational landscape”; rather, they single out these students, make them personally identifiable, and allow them to be subjected to intensive scrutiny.” (at para 80).

On the issue of rules and policies, the majority noted that there was a formal school board policy that prohibited the making of recordings of this kind. While the existence of such rules or policies is not determinative, and their weight might vary depending on the circumstances, in this case, the policy gave clear support to a finding of a reasonable expectation of privacy on the part of the students. Jarvis’ behavior was outside of the clearly established norms for teachers at school.

The seventh factor is important in this case. It relates to the relationship between the perpetrator and the person being observed or recorded. The majority found that a relationship of trust existed between teachers and students. The Chief Justice wrote: “It is inherent in this relationship that students can reasonably expect teachers not to abuse their position of authority over them, and the access they have to them, by making recordings of them for personal, unauthorized purposes” (at para 84). Of all of the factors in the majority’s list, this is the one that makes it most clear that a reasonable expectation of privacy does not rely simply on factors related to location, awareness, or the logistics of the observation or recording. Perhaps because of this, it is one of the factors the minority justices rejected.

The majority also considered the purpose of the recording. Since conviction for voyeurism under s. 162(1)(c) requires that the observation or recording be for sexual purposes, this seems a bit redundant. However, the consideration is part of an framework for determining a reasonable expectation of privacy more generally – and presumably in contexts other than just s. 162(1) of the Criminal Code. Thus, for example, the fact that the school had video cameras in public spaces did not infringe on the students’ reasonable expectations of privacy, but Jarvis’ recordings did – a key reason (though not the only one) for this was linked to the purpose of the recordings. The majority of the Court of Appeal, by contrast, had fixed on location as crucial to the reasonable expectation of privacy; citing the public nature of schools and the already existing surveillance cameras, they found the students had no reasonable expectation of privacy

The final factor considered by the majority was the “personal attributes” of the affected persons. In this case, it meant taking into account that the people recorded were high school students. Justice Wagner noted that there is evidence of a “societal consensus” that children have “greater privacy rights than similarly situated adults.” (at para 86).

After applying these criteria to the facts, the majority easily concluded that the young women recorded by Jarvis had a reasonable expectation of privacy. Justice Wagner wrote: “A student attending class, walking down a school hallway or speaking to her teacher certainly expects that she will not be singled out by the teacher and made the subject of a secretive, minutes-long recording or series of recordings focusing on her body.” (at para 90). Interestingly, he also indicated that he might have ruled the same way if the recordings had been made by a stranger on a public street.

The minority opinion

Justice Rowe wrote for the three judges in the minority. Although they too found that a conviction should be entered in this case, they had two main points of disagreement with the majority justices. The first was that, in their view, s. 8 case law should not be used in interpreting what a “reasonable expectation of privacy” is for the purposes of a criminal offence. They noted that s. 8 case law evolved to address the reasonable expectations of privacy that individuals have vis à vis the state. Section 162(1) involved the Crown having to prove that one individual encroached on the reasonable expectation of privacy of another; according to Justice Rowe, this was something very different from redressing “[t]he power imbalance of the police as agents of the state vis-à-vis a citizen that is at the heart of the preoccupations under s. 8 of the Charter”. (at para 102)

Justice Rowe also considered that s. 8 had been interpreted to protect personal, territorial and information privacy. By contrast, in his view, s. 162(1) of the Criminal Code “can relate only to the protection of one’s physical image, a subcategory of personal privacy, itself a subcategory of that which is protected under s. 8”. (at para 102).

The minority justices also take issue with the majority’s list of contextual factors. Instead, they find that only four of the nine factors are actually required by the wording of s. 162(1) taken as a whole. These are: location, the subject matter of the observation or recording; the purpose for which it was made; and the complainant’s awareness of the observation or recording. For the minority justices, the five other factors identified by the majority are relevant only to sentencing. Thus, for the minority, the existence of a relationship of trust is not a factor in assessing whether a person is guilty of voyeurism.

Justice Rowe notes that the voyeurism offences in the Criminal Code were the first “to include a complainant’s reasonable expectation of privacy as an element of the offence.” (at para 118) Since voyeurism is a sexual offence, he argued that the concept of a reasonable expectation of privacy had to be interpreted with regard to “personal autonomy and sexual integrity”. In his view, the privacy interest in s. 162(1):

is meant to protect a privacy interest in one’s image against observations or recordings that are, first, surreptitious and, second, objectively sexual in content or purpose. This privacy interest itself, where it is substantially and not trivially engaged (e.g. by merely uncouth or ill-mannered behavior), is founded on the twin interests of the protection of sexual integrity and the autonomy to control one’s personal visual information. (at para 128)

In the context of the voyeurism offence, the minority justices were of the view that “Infringing a person’s reasonable expectation of privacy in the context of the voyeurism offence can be conceptualized as crossing a threshold where the law prioritizes the observed person’s interest in protecting their autonomy and sexual integrity over the accused’s liberty of action.” (at para 132)

Such an approach to privacy does not depend solely on location. While location is relevant, it is not determinative. For the minority justices, a privacy infringement occurs “when that which is unknown/unobserved becomes known/observed without the person having put this information forward.” (at para 136) Although a person may be undressed in some public places such as a change room, they might reasonably expect to be observed, yet they would “maintain an essential privacy interest that can be infringed by surreptitious observation or recording, with or without the use of technology, which allows more invasive access to the subject’s image than would otherwise be possible.” (at para 137)

Ultimately, the minority justices found that the students had a reasonable expectation “regarding how their bodies would be observed in the classrooms and hallways of their school” (at para 146). They found that Jarvis’ recordings “went beyond the access that the students allowed in this setting, thus infringing their autonomy”. They were also of a sexual nature, leading to the conclusion that the students’ sexual integrity was infringed.

Concluding Thoughts

The majority’s decision will likely be welcomed by many in the privacy community who had become concerned by the fact that many lower courts, in different contexts, had suggested that there can be no reasonable expectation of privacy in public space. In a society in which public space is increasingly penetrated by technology that permits surveillance and recording (the majority, for example, mentioned drones, but Jarvis’ pen camera is also an example), a contextual approach to privacy is far more useful than any distinction based on concepts of private and public space. The majority also includes the concept of relationships of trust or authority in its analysis. In Jarvis, it is hard to ignore the fact that the teacher was in a position of both trust and authority over the students. Youths should be able to trust that the adults who have authority over them will not surreptitiously record images of them for sexual purposes regardless of where they are located. The relationship is surely a factor in the reasonableness of any expectation of privacy. The majority’s contextual approach feels right in these circumstances.

At the same time, the minority is correct in noting that s. 8 jurisprudence has evolved to answer the question of whether and when individuals have a reasonable expectation of privacy vis à vis the state. As Justice Rowe observes in Jarvis, s. 162(1) is an offence that defines the circumstances in which a person’s liberty to act crosses the line and becomes criminal. His approach, which links the expectation of privacy to considerations present in the wording of the offence (including location, purpose of recording, the subject matter of the observation or recording, and the complainant’s awareness of the filing), is meant to keep the offence more narrowly focused to preserve the balance between one person’s liberty and the other person’s autonomy and sexual integrity. As noted earlier, the language “reasonable expectation of privacy” also appears in the laws of those provinces that have made it a tort to disseminate intimate images without consent. For the minority justices, the issue is whether the offender has made public something that the victim had not wished to have public – something that undermines her autonomy and sexual integrity.

The problem with the minority approach, however, may lie in what made this case – which must have seemed like a no-brainer to so many – have to go all the way to the Supreme Court of Canada for a conviction to be entered. The trial judge in this case obviously struggled with his own perceptions that the young women in question were ‘putting it out there’. He wrote: “[i]t may be that a female student’s mode of attire may attract a debate about appropriate reactions of those who observe such a person leading up to whether there is unwarranted and disrespectful ogling” (Trial decision, at para 46). Perhaps the Court of Appeal’s focus on the public nature of the school and its hallways is also influenced that this idea that women’s bodies in public spaces are there for consumption. Without the majority’s contextual approach – one that directs us to consider a range of factors including the youth of victims and relationships of trust – the decisions from the courts below are perhaps proof enough that a more pared-down focus on “autonomy and sexual integrity” may just not cut it.

Published in Privacy
Thursday, 07 February 2019 08:09

Ontario Launches Data Strategy Consultation

On February 5, 2019 the Ontario Government launched a Data Strategy Consultation. This comes after a year of public debate and discussion about data governance issues raised by the proposed Quayside smart cities development in Toronto. It also comes at a time when the data-thirsty artificial intelligence industry in Canada is booming – and hoping very much to be able to continue to compete at the international level. Add to the mix the view that greater data sharing between government departments and agencies could make government ‘smarter’, more efficient, and more user-friendly. The context might be summed up in these terms: the public is increasingly concerned about the massive and widespread collection of data by governments and the private sector; at the same time, both governments and the private sector want easier access to more and better data.

Consultation is a good thing – particularly with as much at stake as there is here. This consultation began with a press release that links to a short text about the data strategy, and then a link to a survey which allows the public to provide feedback in the form of answers to specific questions. The survey is open until March 7, 2019. It seems that the government will then create a “Minister’s Task Force on Data” and that this body will be charged with developing a draft data strategy that will be opened for further consultation. The overall timeline seems remarkably short, with the process targeted to wrap up by Fall 2019.

The press release telegraphs the government’s views on what the outcome of this process must address. It notes that 55% of Canada’s Big data vendors are located in Ontario, and that government plans “to make life easier for Ontarians by delivering simpler, faster and better digital services.” The goal is clearly to develop a data strategy that harnesses the power of data for use in both the private and public sectors.

If the Quayside project has taught anyone anything, it is that people do care about their data in the hands of both public and private sector actors. The press release acknowledges this by referencing the need for “ensuring that data privacy and protection is paramount, and that data will be kept safe and secure.” Yet perhaps the Ontario government has not been listening to all of the discussions around Quayside. While the press release and the introduction to the survey talk about privacy and security, neither document addresses the broader concerns that have been raised in the context of Quayside, nor those that are raised in relation to artificial intelligence more generally. There are concerns about bias and discrimination, transparency in algorithmic decision-making, profiling, targeting, and behavioural modification. Seamless sharing of data within government also raises concerns about mass surveillance. There is also a need to consider innovative solutions to data governance and the role the government might play in fostering or supporting these.

There is no doubt that the issues underlying this consultation are important ones. It is clear that the government intends to take steps to facilitate intra-governmental sharing of data as well as greater sharing of data between government and the private sector. It is also clear that much of that data will ultimately be about Ontarians. How this will happen, and what rights and values must be protected, are fundamental questions.

As is the case at the provincial and federal level across the country, the laws which govern data in Ontario were written for a different era. Not only are access to information and protection of privacy laws out of date, data-driven practices increasingly impact areas such as consumer protection, competition, credit reporting, and human rights. An effective data strategy might need to reach out across these different areas of law and policy.

Privacy and security – the issues singled out in the government’s documents – are important, but privacy must mean more than the narrow view of protecting identifiable individuals from identity theft. We need robust safeguards against undue surveillance, assurances that our data will not be used to profile or target us or our communities in ways that create or reinforce exclusion or disadvantage; we need to know how privacy and autonomy will be weighed in the balance against the stimulation of the economy and the encouragement of innovation. We also need to consider whether there are uses to which our data should simply not be put. Should some data be required to be stored in Canada, and if so in what circumstances? These and a host of other questions need to be part of the data strategy consultation. Perhaps a broader question might be why we are talking only about a data strategy and not a digital strategy. The approach of the government seems to focus on the narrow question of data as both an input and output – but not on the host of other questions around the digital technologies fueled by data. Such questions might include how governments should go about procuring digital technologies, the place of open source in government, the role and implication of technology standards – to name just a few.

With all of these important issues at stake, it is hard not to be disappointed by the form and substance of at least this initial phase of the government's consultation. It is difficult to say what value will be derived from the survey which is the vehicle for initial input. Some of the questions are frankly vapid. Consider question 2:

2. I’m interested in exploring the role of data in:

creating economic benefits

increasing public trust and confidence

better, smarter government

other

There is no box in which to write in what the “other” might be. And questions 9 to 11 provide sterling examples of leading questions:

9. Currently, the provincial government is unable to share information among ministries requiring individuals and businesses to submit the same information each time they interact with different parts of government. Do you agree that the government should be able to securely share data among ministries?

Yes

No

I’m not sure

10. Do you believe that allowing government to securely share data among ministries will streamline and improve interactions between citizens and government?

Yes

No

I’m not sure

11. If government made more of its own data available to businesses, this data could help those firms launch new services, products, and jobs for the people of Ontario. For example, government transport data could be used by startups and larger companies to help people find quicker routes home from work. Would you be in favour of the government responsibly sharing more of its own data with businesses, to help them create new jobs, products and services for Ontarians?

Yes

No

I’m not sure

In fairness, there are a few places in the survey where respondents can enter their own answers, including questions about what issues should be put to the task force and what skills and experience members should have. Those interested in data strategy should be sure to provide their input – both now and in the later phases to come.

Published in Privacy
Tuesday, 22 January 2019 16:56

Canada's Shifting Privacy Landscape

Note: This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.

In early January 2019, Bell Canada caught the media spotlight over its “tailored marketing program”. The program will collect massive amounts of personal information, including “Internet browsing, streaming, TV viewing, location information, wireless and household calling patterns, app usage and the account information”. Bell’s background materials explain that “advertising is a reality” and that customers who opt into the program will see ads that are more relevant to their needs or interests. Bell promises that the information will not be shared with third party advertisers; instead it will enable Bell to offer those advertisers the ability to target ads to finely tuned categories of consumers. Once consumers opt in, their consent is presumed for any new services that they add to their account.

This is not the first time Bell has sought to collect vast amounts of data for targeted advertising purposes. In 2015, it terminated its short-lived and controversial “Relevant Ads” program after an investigation initiated by the Privacy Commissioner of Canada found that the “opt out” consent model chosen by Bell was inappropriate given the nature, volume and sensitivity of the information collected. Nevertheless, the Commissioner’s findings acknowledged that “Bell’s objective of maximizing advertising revenue while improving the online experience of customers was a legitimate business objective.”

Bell’s new tailored marketing program is based on “opt in” consent, meaning that consumers must choose to participate and are not automatically enrolled. This change and the OPC’s apparent acceptance of the legitimacy of targeted advertising programs in 2015 suggest that Bell may have brought its scheme within the parameters of PIPEDA. Yet media coverage of the new tailored ads program generated public pushback, suggesting that the privacy ground has shifted since 2015.

The rise of big data analytics and the stunning recent growth of artificial intelligence have sharply changed the commercial value of data, its potential uses, and the risks it may pose to individuals and communities. After the Cambridge Analytica scandal, there is also much greater awareness of the harms that can flow from consumer profiling and targeting. While conventional privacy risks of massive personal data collection remain (including the risk of data breaches, and enhanced surveillance), there are new risks that impact not just privacy but consumer choice, autonomy, and equality. Data misuse may also have broader impacts than just on individuals; such impacts may include group-based discrimination, and the kind of societal manipulation and disruption evidenced by the Cambridge Analytica scandal. It is not surprising, then, that both the goals and potential harms of targeted advertising may need rethinking; along with the nature and scope of data on which they rely.

The growth of digital and online services has also led to individuals effectively losing control over their personal information. There are too many privacy policies, they are too long and often obscure, products and services are needed on the fly and with little time to reflect, and most policies are ‘take-it-or-leave-it”. A growing number of voices are suggesting that consumers should have more control over their personal information, including the ability to benefit from its growing commercial value. They argue that companies that offer paid services (such as Bell) should offer rebates in exchange for the collection or use of personal data that goes beyond what is needed for basic service provision. No doubt, such advocates would be dismayed by Bell’s quid pro quo for its collection of massive amounts of detailed and often sensitive personal information: “more relevant ads”. Yet money-for-data schemes raise troubling issues, including the possibility that they could make privacy something that only the well-heeled can afford.

Another approach has been to call for reform of the sadly outdated Personal Information Protection and Electronic Documents Act. Proposals include giving the Privacy Commissioner enhanced enforcement powers, and creating ‘no go zones’ for certain types of information collection or uses. There is also interest in creating new rights such as the right to erasure, data portability, and rights to explanations of automated processing. PIPEDA reform, however, remains a mirage shimmering on the legislative horizon.

Meanwhile, the Privacy Commissioner has been working hard to squeeze the most out of PIPEDA. Among other measures, he has released new Guidelines for Obtaining Meaningful Consent, which took effect on January 1, 2019. These guidelines include a list of “must dos” and “should dos” to guide companies in obtaining adequate consent

While Bell checks off many of the ‘must do’ boxes with its new program, the Guidelines indicate that “risks of harm and other consequences” of data collection must be made clear to consumers. These risks – which are not detailed in the FAQs related to the program – obviously include the risk of data breach. The collected data may also be of interest to law enforcement, and presumably it would be handed over to police with a warrant. A more complex risk relates to the fact that internet, phone and viewing services are often shared within a household (families or roommates) and targeted ads based on viewing/surfing/location could result in the disclosure of sensitive personal information to other members of the household.

Massive data collection, profiling and targeting clearly raise issues that go well beyond simple debates over opt-in or opt-out consent. The privacy landscape is changing – both in terms of risks and responses. Those engaged in data collection would be well advised to be attentive to these changes.

Published in Privacy

In Netlink Computer Inc. (Re), the British Columbia Supreme Court dismissed an application for leave to sue a trustee in bankruptcy for the an alleged improper disposal of assets of a bankrupt company that contained the personal information of the company’s customers.

The issues at the heart of the application first reached public attention in September 2018 when a security expert described in a blog post how he noticed that servers from the defunct company were listed for sale on Craigslist. Posing as an interested buyer, he examined the computers and found that their unwiped hard drives contained what he reported as significant amounts of sensitive customer data, including credit card information and photographs of customer identification documents. Following the blog post, the RCMP and the BC Privacy Commissioner both launched investigations. Kipling Warner, who had been a customer of the defunct company Netlink, filed law suits against Netlink, the trustee in bankruptcy which had disposed of Netlink’s assets, the auction company Able Solutions, which and sold the assets, and Netlink’s landlord. All of the law suits include claims of breach statutory obligations under the Personal Information Protection and Electronic Documents Act, breach of B.C.’s Privacy Act, and breach of B.C.’s Personal Information Protection Act. The plan was to have the law suits certified as class action proceedings. The action against Netlink was stayed due to the bankruptcy. The B.C. Supreme Court decision deals only with the action against the trustee, as leave of the court must be obtained in order to sue a trustee in bankruptcy.

As Master Harper explained in his reasons for decision, the threshold for granting leave to sue a trustee in bankruptcy is not high. The evidence presented in the claim must advance a prima facie case. Leave to proceed will be denied if the proposed action is considered frivolous or vexations, since such a lawsuit would “interfere with the due administration of the bankrupt’s estate by the trustee” (at para 9). Essentially the court must balance the competing interests of the party suing the trustee and the interest in the efficient and timely wrapping up of the bankrupt’s estate.

The decision to dismiss the application in this case was based on a number of factors. Master Harper was not impressed by the fact that the multiple law suits brought against different actors all alleged the same grounds. He described this as a “scattergun approach” that suggested a weak evidentiary foundation. The application was supported by two affidavits, one from Mr. Warner, which he described as being based on inadmissible ‘double hearsay’ and one from the blogger, Mr. Doering. While Master Harper found that the Doering affidavit contained first hand evidence from Doering’s investigation into the servers sold on Craigslist, he noted that Doering himself had not been convinced by the seller’s statements about how he came to be in possession of the servers. The Master noted that this did not provide a basis for finding that it was the trustee in bankruptcy who was responsible. The Master also noted that although an RCMP investigation had been launched at the time of the blog post, it had since concluded with no charges being laid. The Master’s conclusion was that there was no evidence to support a finding that any possible privacy breach “took place under the Trustee’s ‘supervision and control’.” (at para 58)

Although the application was dismissed, the case does highlight some important concerns about the handling of personal information in bankruptcy proceedings. Not only can customer databases be sold as assets in bankruptcy proceedings, Mr Doering’s blog post raised the spectre of computer servers and computer hard drives being disposed of without properly being wiped of the personal data that they contain. Although he dismissed the application to file suit against the Trustee, Master Harper did express some concern about the Trustee’s lack of engagement with some of the issues raised by Mr. Warner. He noted that no evidence was provided by the Trustee “as to how, or if, the Trustee seeks to protect the privacy of customers when a bankrupt’s assets (including customer information) are sold in the bankruptcy process.” (at para 44) This is an important issue, but it is one on which there is relatively little information or discussion. A 2009 blog post from Quebec flags some of the concerns raised about privacy in bankruptcy proceedings; a more recent post suggests that while larger firms are more sophisticated in how they deal with personal information assets, the data in the hands of small and medium sized firms that experience bankruptcy may be more vulnerable.

Published in Privacy

Digital and data governance is challenging at the best of times. It has been particularly challenging in the context of Sidewalk Labs’ proposed Quayside development for a number of reasons. One of these is (at least from my point of view) an ongoing lack of clarity about who will ‘own’ or have custody or control over all of the data collected in the so-called smart city. The answer to this question is a fundamentally important piece of the data governance puzzle.

In Canada, personal data protection is a bit of a legislative patchwork. In Ontario, the collection, use or disclosure of personal information by the private sector, and in the course of commercial activity, is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). However, the collection, use and disclosure of personal data by municipalities and their agencies is governed by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), while the collection, use and disclosure of personal data by the province is subject to the Freedom of Information and Protection of Privacy Act (FIPPA). The latter two statutes – MFIPPA and FIPPA – contain other data governance requirements for public sector data. These relate to transparency, and include rules around access to information. The City of Toronto also has information management policies and protocols, including its Open Data Policy.

The documentation prepared for the December 13, 2018 Digital Strategy Advisory Panel (DSAP) meeting includes a slide that sets out implementation requirements for the Quayside development plan in relation to data and digital governance. A key requirement is: “Compliance with or exceedance of all applicable laws, regulations, policy documents and contractual obligations” (page 95). This is fine in principle, but it is not enough on its own to say that the Quayside project must “comply with all applicable laws”. At some point, it is necessary to identify what those applicable laws are. This has yet to be done. And the answer to the question of which laws apply in the context of privacy, transparency and data governance, depends upon who ultimately is considered to ‘own’ or have ‘custody or control’ of the data.

So – whose data is it? It is troubling that this remains unclear even at this stage in the discussions. The fact that Sidewalk Labs has been asked to propose a data governance scheme suggests that Sidewalk and Waterfront may be operating under the assumption that the data collected in the smart city development will be private sector data. There are indications buried in presentations and documentation that also suggest that Sidewalk Labs considers that it will ‘own’ the data. There is a great deal of talk in meetings and in documents about PIPEDA, which also indicates that there is an assumption between the parties that the data is private sector data. But what is the basis for this assumption? Governments can contract with a private sector company for data collection, data processing or data stewardship – but the private sector company can still be considered to act as an agent of the government, with the data being legally under the custody or control of the government and subject to public sector privacy and freedom of information laws. The presence of a private sector actor does not necessarily make the data private sector data.

If the data is private sector data, then PIPEDA will apply, and there will be no applicable access to information regime. PIPEDA also has different rules regarding consent to collection than are found in MFIPPA. If the data is considered ultimately to be municipal data, then it will be subject to MFIPPA’s rules regarding access and privacy, and it will be governed by the City of Toronto’s information management policies. These are very different regimes, and so the question of which one applies is quite fundamental. It is time for there to be a clear and forthright answer to this question.

Published in Privacy

A Global News story about Statistics Canada’s collection of detailed financial data of a half million Canadians has understandably raised concerns about privacy and data security. It also raises interesting questions about how governments can or should meet their obligations to produce quality national statistics in an age of big data.

According to Andrew Russell’s follow-up story, Stats Canada plans to collect detailed customer information from Canada’s nine largest banks. The information sought includes financial information including account balances, transaction data, credit card and bill payments. It is unclear whether the collection has started.

As a national statistical agency, Statistics Canada is charged with the task of collecting and producing data that “ensures Canadians have the key information on Canada's economy, society and environment that they require to function effectively as citizens and decision makers.” Canadians are perhaps most familiar with providing census data to Statistics Canada, including more detailed data through the long form census. However, the agency’s data collection is not limited to the census.

Statistics Canada’s role is important, and the agency has considerable expertise in carrying out its mission and in protecting privacy in the data it collects. This is not to say, however, that Statistics Canada never makes mistakes and never experiences privacy breaches. One of the concerns, therefore, with this large-scale collection of frankly sensitive data is the increased risk of privacy breaches.

The controversial collection of detailed financial data finds its legislative basis in this provision of the Statistics Act:

13 A person having the custody or charge of any documents or records that are maintained in any department or in any municipal office, corporation, business or organization, from which information sought in respect of the objects of this Act can be obtained or that would aid in the completion or correction of that information, shall grant access thereto for those purposes to a person authorized by the Chief Statistician to obtain that information or aid in the completion or correction of that information. [My emphasis]

Essentially, it conveys enormous power on Stats Canada to request “documents or records” from third parties. Non-compliance with a request is an offence under s. 32 of the Act, which carries a penalty on conviction of a fine of up to $1000. A 2017 amendment to the legislation removed the possibility of imprisonment for this offence.

In case you were wondering whether Canada’s private sector data protection legislation offers any protection when it comes to companies sharing customer data with Statistics Canada, rest assured that it does not. Paragraph 7(3)(c.1) of the Personal Information Protection and Electronic Documents Act provides that an organization may disclose personal information without the knowledge or consent of an individual where the disclosure is:

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

[. . .]

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province

According to the Global News story, Statistics Canada notified the Office of the Privacy Commissioner about its data collection plan and obtained the Commissioner’s advice. In his recent Annual Report to Parliament the Commissioner reported on Statistic’s Canada’s growing practice of seeking private sector data:

We have consulted with Statistics Canada (StatCan) on a number of occasions over the past several years to discuss the privacy implications of its collection of administrative data – such as individuals’ mobile phone records, credit bureau reports, electricity bills, and so on. We spoke with the agency about this again in the past year, after a number of companies contacted us with concerns about StatCan requests for customer data.

The Commissioner suggested that Stats Canada might consider the collection of only data that has been deidentified at source rather than detailed personal information. He also recommended an ongoing assessment of the necessity and effectiveness of such programs.

The Commissioner also indicated that one of the problems with the controversial data collection by Statistics Canada is its lack of openness. He stated: “many Canadians might be surprised to learn the government is collecting their information in this way and for this purpose.” While part of this lack of transparency lies in the decision not to be more upfront about the data collection, part of it lies in the fact that the legislation itself – while capable of being read to permit this type of collection – clearly does not expressly contemplate it. Section 13 was drafted in a pre-digital, pre-big data era. It speaks of “documents or records”, and not “data”. While it is possible to interpret it so as to include massive quantities of data, the original drafters no doubt contemplated a collection activity on a much more modest scale. If Section 13 really does include the power to ask any organization to share its data with Stats Canada, then it has become potentially limitless in scope. At the time it was drafted, the limits were inherent in the analogue environment. There was only so much paper Stats Canada could ask for, and only so much paper it had the staff to process. In addition, there was only so much data that entities and organizations collected because they experienced the same limitations. The digital era means not only that there is a vast and increasing amount of detailed data collected by private sector organizations, but that this data can be transferred in large volumes with relative ease, and can be processed and analyzed with equal facility.

Statistics Canada is not the only national statistics organization to be using big data to supplement and enhance its data collection and generation. In some countries where statistical agencies struggle with a lack of human resources and funding, big data from the private sector offer opportunities to meet the data needs of their governments and economies. Statistical agencies everywhere recognize the potential of big data to produce more detailed, fine-grained and reliable data about many aspects of the economy. For example, the United Nations maintains a big data project inventory that catalogues experiments by national statistical agencies around the world with big data analytics. Remember the cancellation of the long form census by the Harper government? This was not a measure to protect Canadians’ privacy by collecting less information; it was motivated by a belief that better and more detailed data could be sought using other means – including reliance on private sector data.

It may well be that Statistics Canada needs the power to collect digital data to assist in data collection programs that serve national interests. However, the legislation that authorizes such collection must be up-to-date with our digital realities. Transparency requires an amendment to the legislation that would specifically enable the collection and use of digital and big data from the private sector tor statistical purposes. Debate over the scope and wording of such a provision would give both the public and the potential third party data sources an opportunity to identify their concerns. It would also permit the shaping of limits and conditions that are specific to the nature and risks of this form of data collection.

Published in Privacy
Wednesday, 12 September 2018 13:44

Smart cities data - governance challenges

This post gives a brief overview of a talk I am giving September 12, 2018, on a panel hosted by the Centre for Law Technology and Society at uOttawa. The panel title is ‘Smart and the City’

 

This post (and my presentation) explores the concept of the ‘smart’ city and lays the groundwork for a discussion of governance by exploring the different types of data collected in so-called smart cities.

Although the term ‘smart city’ is often bandied about, there is no common understanding of what it means. Anthony Townsend has defined smart cities as “places where information technology is combined with infrastructure, architecture, everyday objects, and even our bodies to address social, economic, and environmental problems.” (A. Townsend, Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia. (New York: W.W. Norton & Co., 2013), at p. 15). This definition emphasizes the embedding of information technologies within cities with the goal of solving a broad range of urban problems. Still, there is uncertainty as to which cities are ‘smart’ or at what point a city passes the invisible ‘smart’ threshold.

Embedded technologies are multiple and ever-evolving, and many are already in place in the cities in which we live. Technologies that have become relatively commonplace include smart transit cards, GPS systems on public vehicles (e.g.: buses, snowplows, emergency vehicles, etc.), smart metering for utilities, and surveillance and traffic cameras. Many of the technologies just identified collect data; smart technologies also process data using complex algorithms to generate analytics that can be used in problem identification and problem solving. Predictive policing is an example of a technology that generates information based on input data and complex algorithms.

While it is possible for a smart city to be built from the ground up, this is not the most common type of smart city. Instead, most cities become ‘smarter’ by increments, as governments adopt one technology after another to address particular needs and issues. While both from-the-ground-up and incremental smart cities raise important governance issues, it is the from-the-ground-up projects (such as Sidewalk Toronto) that get the most public attention. With incremental smart cities, the piecemeal adoption of technologies often occurs quietly, without notice, and thus potentially without proper attention being paid to important overarching governance issues such as data ownership and control, privacy, transparency, and security.

Canada has seen two major smart cities initiatives launched in the last year. These are the federal government’s Smart Cities Challenge – a contest between municipalities to fund the development of smart cities projects – and the Sidewalk Toronto initiative to create a from-the-ground-up smart development in Toronto’s Quayside area. Although Canadian cities have been becoming ‘smart’ by increments for some time now, these two high-profile initiatives have sparked discussion of the public policy issues, bringing important governance issues to the forefront.

These initiatives, like many others, have largely been conceived of and presented to the public as technology, infrastructure, and economic development projects. Rather than acknowledging up-front the need for governance innovation to accompany the emerging technologies, governance tends to get lost in the hype. Yet it is crucial. Smart cities feed off data, and residents are primary sources. Much of the data collected in smart cities is personal information, raising obvious privacy issues. Issues of ownership and control over smart cities data (whether personal or non-personal) are also important. They are relevant to who gets to access and use the data, for what purposes, and for whose profit. The public outcry over the Sidewalk Toronto project (examples here, here and here) clearly demonstrates that cities are not just tech laboratories; they are the places where we try to live decent and meaningful lives.

The governance issues facing so-called smart cities are complex. They may be difficult to disentangle from the prevailing ‘innovate or perish’ discourse. They are also rooted in technologies that are rapidly evolving. Existing laws and legal and policy frameworks may not be fully adequate to address smart cities challenges. This means that the governance issues raised by smart cities may require a rethinking of the existing law and policy infrastructure almost at pace with the emerging and evolving technologies.

The complexity of the governance challenges may be better understood when one considers the kind of data collected in smart cities. The narrower the categories of data, the more manageable data governance in the smart city will seem. However, the nature of information technologies, including the types and locations of sensors, and the fact that many smart cities are built incrementally, require a broad view of the types of data at play in smart cities. Here are some kinds of data collected and used in smart cities:

 

· traditional municipal government data (e.g. data about registrants or applicants for public housing or permits; data about water consumption, infrastructure, waste disposal, etc.)

· data collected by public authorities on behalf of governments (eg: electrical consumption data; transit data, etc.)

· sensor data (e.g.: data from embedded sensors such as traffic cameras, GPS devices, environmental sensors, smart meters)

· data sourced from private sector companies (e.g.: data about routes driven or cycled from companies such as Waze or Strava; social media data, etc.)

· data from individuals as sensors (e.g. data collected about the movements of individuals based on signals from their cell phones; data collected by citizen scientists; crowd-sourced data, etc.)

· data that is the product of analytics (e.g. predictive data, profiles, etc.)

 

Public sector access to information and protection of privacy legislation provides some sort of framework for transparency and privacy when it comes to public sector data, but clearly such legislation is not well adapted to the diversity of smart cities data. While some data will be clearly owned and controlled by the municipality, other data will not be. Further the increasingly complex relationship between public and private sectors around input data and data analytics means that there will be a growing number of conflicts between rights of access and transparency on the one hand, and the protection of confidential commercial information on the other.

Given that few ‘smart’ cities will be built from the ground up (with the potential for integrated data governance mechanisms), the complexity and diversity of smart cities data and technologies creates a stark challenge for developing appropriate data governance.

 

(Sorry to leave a cliff hanger – I have some forthcoming work on smart cities data governance which I hope will be published by the end of this year. Stay tuned!)

 

 

Published in Privacy

A recent Federal Court decision highlights the risks to privacy that could flow from unrestrained access by government to data in the hands of private sector companies. It also demonstrates the importance of judicial oversight in ensuring transparency and the protection of privacy.

The Income Tax Act (ITA) gives the Minister of National Revenue (MNR) the power to seek information held by third parties where it is relevant to the administration of the income tax regime. However, where the information sought is about unnamed persons, the law requires judicial oversight. A judge of the Federal Court must review and approve the information “requirement”. Just such a matter arose in Canada (Minister of National Revenue) v. Hydro-Québec. The MNR sought information from Hydro-Québec, the province’s electrical utility, about a large number of its business customers. Only a few classes of customers, such as heavy industries that consumed very large amounts of electricity were excluded. Hydro itself did not object to the request and was prepared to fulfil it if ordered to do so by the Federal Court. The request was considered by Justice Roy who noted that because the information was about unnamed and therefore unrepresented persons, it was “up to the Court to consider their interests.” (at para 5)

Under s. 231.2(3) of the ITA, before ordering the disclosure of information about unnamed persons, a must be satisfied that:

(a) the person or group is ascertainable; and

(b) the requirement is made to verify compliance by the person or persons with any duty or obligation under this Act.

The information sought from Hydro in digital format included customer names, business numbers, full billing addresses, addresses of each place where electricity is consumed, telephone numbers associated with the account, billing start dates, and, if applicable, end dates, and any late payment notices sent to the customer.

Justice Roy noted that no information had been provided to the court to indicate whether the MNR had any suspicions about the tax compliance of business customers of Hydro-Quebec. Nor was there much detail about what the MNR planned to do with the information. The documents provided by the MNR, as summarized by the Court, stated that the MNR was “looking to identify those who seem to be carrying on a business but failed to file all the required income tax returns.” (at para 14) However, Justice Roy noted that there were clearly also plans to share the information with other groups at the Canada Revenue Agency (CRA). These groups would use the information to determine “whether the individuals and companies complied with their obligations under the ITA and the ETA”. (at para 14)

Justice Roy was sympathetic to the need of government to have powerful means of enforcing tax laws that depend upon self-reporting of income. However, he found that what the MNR was attempting to do under s. 231.2 went too far. He ruled that the words used in that provision had to be interpreted in light of “the right of everyone to be left alone by the state”. (at para 28) He observed that it is clear from the wording of the Act that “Parliament wanted to limit the scope of the Minister’s powers, extensive as they are.” (at para 68)

Justice Roy carefully reviewed past jurisprudence interpreting s. 231.2(3). He noted that the section has always received a strict interpretation by judges. In past cases where orders had been issued, the groups of unnamed persons about whom information was sought were clearly ascertainable, and the information sought was ‘directly related to these taxpayers’ tax status because it is financial in nature.” (at para 63) In the present case, he found that the group was not ascertainable, and the information sought “has nothing to do with tax-status.” (at para 63)

In his view, the aim of the request was to determine the identity of business customers of Hydro-Québec. The information was not sought in relation to a good faith audit, and with a proper factual basis. Because it was a fishing expedition meant to determine who might suitably be audited, the group of individuals identified by Hydro-Québec could not be considered “ascertainable”, as was required by the law. Justice Roy noted that no information was provided to demonstrate what “business customer” meant. He observed that “the Minister would render the concept of “ascertainable group” meaningless if, in the context of the ITA, she may claim that any group is an ascertainable group.” (at para 78) He opined that giving such broad meaning to “ascertainable” could be an abuse that would lead to violations of privacy by the state.

Justice Roy also found that the second condition of s. 231.2(3) was not met. Section 231.2(3)(b) required that the information be sought in order “to verify compliance by the person or persons in the group with any duty or obligation under this Act.” He observed that the MNR was seeking an interpretation of this provision that would amount to: “Any information the Minister may consider directly or indirectly useful”. (at para 80) Justice Roy favoured a much more restrictive interpretation, limiting it to information that could “shed light on compliance with the Act.” (at para 80) He found that “the knowledge of who has a business account with Hydro-Québec does not meet the requirement of a more direct connection between the information and documents and compliance with the Act.” (at para 80)

The MNR had argued that if the two conditions of s. 231.2(3) were met, then a judge was required to issue the authorization. Because Justice Roy found the two conditions were not met, the argument was moot. Nevertheless, he noted that even if he had found the conditions to be met, he would still have had the discretion to deny the authorization if to grant it would harm the public interest. In this case, there would be a considerable invasion of privacy “given the number of people indiscriminately included in the requirement for which authorization of the Court is being sought. (at para 88) He also found that the fact that digital data was sought increased the general risk of harm. He observed that “the applicant chose not to restrict the use she could make of the large quantity of information she received” (at para 91) and that it was clearly planned that the information would be shared within the CRA. Justice Roy concluded that even if he erred in his interpretation of the criteria in s. 231.2(3), and these criteria had to be given a broad meaning, he would still not have granted the authorization on the basis that “judicial intervention is required to prevent such an invasion of the privacy of many people in Quebec.” (at para 96) Such intervention would particularly be required where “the fishing expedition is of unprecedented magnitude and the information being sought is far from serving to verify compliance with the Act.” (at para 96)

This is a strong decision which clearly protects the public interest. It serves to highlight the privacy risks in an era where both private and public sectors amass vast quantities of personal information in digital form. Although the ITA provides a framework to ensure judicial oversight in order to limit potential abuses, there are still far too many other contexts where information flows freely and where there may be insufficient oversight, transparency or accountability.

 

Published in Privacy

The report of an investigator for Ontario’s Office of the Information and Privacy Commissioner (OIPC) into personal information contained within a published tribunal decision adds to the debate around how to balance individual privacy with the open courts principle. In this case (Privacy Complaint No. PC17-9), the respondent is the Ontario Human Rights Tribunal (OHRT), established under the Ontario Human Rights Code. The OHRT often hears matters involving highly sensitive personal information. Where an adjudicator considers it relevant to their decision, they may include this information in their written reasons. Although a party may request that the decision be anonymized to protect their personal information, OHRT adjudicators have been sparing in granting requests for anonymization, citing the importance of the open courts principle.

The OIPC investigated after receiving a complaint about the reporting of sensitive personal information in an OHRT decision. The interesting twist in this case was that the personal information at issue was not that of the person who had complained to the OHRT (the ‘OHRT complainant’), and whose complaint had led to the tribunal hearing. Rather, it was the personal information of the OHRT complainant’s sister and mother. The complaint to the OIPC was made by the sister (the ‘OIPC complainant’) on behalf of herself and her mother. Although the sister’s and mother’s names were not used in the OHRT decision, they argued that they were easily identifiable since they lived in a small town and shared a distinctive surname with the OHRA complainant. The OIPC investigator agreed. She noted that the information at the heart of the complaint consisted of “the applicant’s name, the applicant’s mother’s age, the mother’s primary language, the number of medications the applicant’s mother was taking, the reason for the medication, the state of the mother’s memory and the city the complainant resides in.” (at para 19). The investigator found that although the names of the OIPC complainant and her mother were not mentioned, their relationship to the OHRT complainant was. She observed: “Given that the applicant’s name is available, the uniqueness of the names and the size of the community, it is reasonable to assume that someone reading the decision would be able to identify her mother and sister and connect the information in the decision to them.” (at para 26)

Since the OHRT is a public body, and the information at issue was personal information, the OIPC complainant argued that the OHRT had breached the province’s Freedom of Information and Protection of Privacy Act (FIPPA) by publishing this information in its decision. For its part, the OHRT argued that the information was exempted from the application of FIPPA under s. 37 of that Act because it was “personal information that is maintained for the purpose of creating a record that is available to the general public”. It argued that it has an adjudicative mandate under the Human Rights Code and that the Statutory Powers Procedures Act (SPPA) permits it to determine its own practices and procedures. Although neither the OHRC nor the SPPA address the publication of decisions, the OHRT had decided that as a matter of practice, its decisions would be published, including on the public legal information website CanLII. The OHRT also argued that its proceedings were subject to the open courts principle. This argument was supported by the recent Ontario Superior Court decision (discussed here) which confirmed that the open courts principle applied to the decisions of statutory tribunals. The investigator agreed with the OHRT. She observed that “[o]penness at tribunals tends to improve the quality of testimony and for that reason is conducive to the pursuit of truth in adjudicative proceedings.” (at para 56). She noted as well that the other elements of the open courts principle, including “oversight of decision-makers, the integrity of the administration of justice, and the educational and democracy-enhancing features of open courts” (at para 57) were all linked to the Charter value of freedom of expression. She accepted that the publication of reasons for decision was part of the openness principle, and concluded that: “The publication of decisions is an aspect of the Tribunal’s control over its own process and the information that is included in the Tribunal’s decisions is within the adjudicator’s discretion in providing reasons for those decisions.” (at para 65) She noted that many public values were served by the publication of the Tribunal’s decisions: “The publication of its decisions supports public confidence in the justice system, serves an educational purpose, promotes accountability by the Tribunal for its decision-making, and ensures that the public has the information necessary to exercise the Charter right to freedom of expression.” (at para 66) As a result, she concluded that s. 37 of FIPPA excluded the published decisions from the application of the privacy provisions of the Act.

This seems like an appropriate conclusion given the legislative framework. However, it does raise two general points of importance with respect to how the OHRT deals with personal information in its decisions. First, human rights legislation exists in an attempt to provide recourse and redress for those who experience discrimination in contexts which closely affect their lives, such as employment, accommodation, and the receipt of services. The prohibited grounds of discrimination are ones which touch on highly personal and intimate aspects of peoples’ lives, relating to sexual identity, national origin, religion, and mental or physical disability, to provide but a few examples. Personal information of this kind is generally considered highly sensitive. The spectre that it will be published – online – alongside an individual’s name, might be daunting enough to prevent some from seeking redress under the legislation at all. For example, fear that the online publication of one’s mental health information might make it difficult to find future employment could prevent a person from filing of a complaint of discrimination. This would seem to subvert the purpose of human rights legislation. And yet, human rights tribunals have been reticent in granting requests for anonymization, citing the open courts principle.

Secondly, this case raises the further issue of how the sensitive personal information of third parties – who were neither witness before the tribunal or complainants to the OHRC – ended up in a decision published online, and for which the Tribunal had refused an anonymization request. The OIPC investigator concluded her report by recommending that the OHRT “continue to apply data minimization principles in the drafting of its decisions and include only personal information necessary to achieve the purpose of those decisions.” (at para 72) In the absence of clear directives for dealing with the online publication of personal information in court or tribunal decisions, and appropriate training for adjudicators, this gentle reminder seems to be the best that complainants can hope for. It is not good enough. One need only recall the complaints to the Office of the Privacy Commissioner of Canada about the offshore website that had scraped decisions from CanLII and court websites in order to make them available in fully indexable form over the internet, to realize that we have important unresolved issues about how personal information is published and disseminated in court and tribunal decisions in Canada.

Published in Privacy
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Page 1 of 12

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law