Teresa Scassa - Blog

On April 24, 2014 the Supreme Court of Canada handed down a decision which at least touches upon the thorny question of what constitutes “personal information”. This question is particularly important to governments that are contemplating the proactive release of government data under commitments to open government. The issue is far from academic, as federal, provincial and municipal governments in Canada have all taken steps in this direction. Indeed, the Ontario government has just signaled its own commitment to open government, which will include proactive disclosure of government data.

Most public sector data protection laws in Canada define “personal information” as essentially information about an identifiable individual. This means that “personal information” is more than just information that actually identifies an individual (their name or social insurance number, for example) but also includes any other information that, if linked with other available information, could lead to the identification of a specific individual. Thus, a government contemplating the proactive disclosure of data sets under an open data program, would have to ensure that the data sets were free not just of individuals’ names and identification numbers, but also free of data that could be linked back to specific individuals. This can be more challenging than one might think, particularly as we live in an environment where more and more data is becoming easily available from both public and private sector sources, and where search engines, algorithms and computing power make mining and matching information increasingly fast, inexpensive and easy.

The case – Ministry of Community Safety and Correctional Services v. Information and Privacy Commissioner (Ontario) – involved an access to information request made by a journalist to the Ministry of Community Safety and Correctional Services. The journalist sought the disclosure of the number of registered sex offenders in Ontario who lived within each postal code forward sortation area (the area designated by the first three digits of a postal code). The journalist did not seek access to this information by full postal code, presumably because this finer level of detail might lead to the identification of those individuals, particularly where there were relatively few residences associated with a particular postal code. While Ontario maintains a sex offender registry, the locations of the registered sex offenders are not public information. The register is intended primarily for use by law enforcement officials. The journalist planned to create a map which would allow the public to see a more generalized geographic representation of where registered sex offenders in Ontario were living. The Ministry refused to disclose this information on the basis that it could lead to the identification of specific individuals. It argued not just that the information could not be disclosed because it fell within the definition of “personal information” but also because its release would interfere with law enforcement, endanger the life or physical safety of the individuals, and might hamper the control of crime (by making sex offenders less likely to comply with the registration requirements out of fear of identification). All of these bases are exceptions to disclosure of information under the provinces Freedom of Information and Protection of Privacy Act (FIPPA). The Ministry’s refusal was appealed by the journalist to the Office of the Information and Privacy Commissioner, which ordered that the information be disclosed. The Commissioner’s decision was upheld by the courts all the way up to the Supreme Court of Canada, which also upheld the order to release the information sought by the journalist.

The Supreme Court considered three issues: the level of deference due to the decision of the Information Commissioner, whether access was ordered for purposes inconsistent either with FIPPA or with the law governing the sex offender registry, and whether the Commissioner’s interpretation of the scope of the law enforcement exceptions to information disclosure was appropriate. Yet underlying these issues was a key question which itself was not in dispute before the Court. This was whether the information sought constituted personal information – in other words, information about an identifiable individual. The approach of the Commissioner to this question was not part of the appeal, yet once it was accepted that the information sought was not personal information, it would be difficult to find that any of the harm-based exceptions to disclosure would apply – no matter what interpretation they were given – because information that could not lead to the identification of specific individuals would be highly unlikely to cause them harm and, in theory at least, less likely to deter them from complying with the registry requirements.

In refusing to disclose the information, the Ministry had argued that the information being sought was personal information because it could be linked with other available information in order to re-identify individuals. This issue of the potential for re-identification is central to the question of whether information qualifies as a personal information, and in the context of open data, it will be crucial in decisions about whether certain data sets may be proactively disclosed. It is important to note that the Commissioner in this case observed that the Ministry had not advanced any cogent evidence of the potential for re-identification. This point was picked up by the courts below, and the Supreme Court of Canada agreed. Writing for the Court, Justice Cromwell noted that “the Commissioner determined that the Ministry did not provide any specific evidence explaining how the Record could be cross-referenced with other information in order to identify sex offenders. We find this to be a reasonable determination.” (at para 60) Indeed, very little specific evidence was provided, and the court dismissed more general literature on re-identification as “unconvincing and generic scholarly research on ‘identifiability’.” (at para 60) The Court also agreed with the Commissioner’s rejection of the Ministry’s assertions that more information might someday be available on the Internet that could, if matched with the sex offender data, lead to identification. Justice Cromwell stated: “it must be stressed that the Ministry only referred vaguely to the unpredictability of internet developments and did not provide any specifics about how identification could occur.” (at para 61).

The case involved a dispute over the release of data in the context of a specific access to information request. Yet there are lessons here for those tasked with identifying data sets for proactive release for the purposes of open data. These might be summarized as follows:

• The definition of “personal information” under access to information and data protection laws in Canada tends to be broad and will include information about an identifiable individual. Thus it is important to consider not just whether there are specific personal identifiers in the data set, but whether this data could, if matched with other available data, lead to the identification of specific individuals.

• In considering the likelihood of re-identification, it would seem that the balance between the goals of transparency and accountability and those of privacy protection do not require ‘worst case scenario’ or extreme hypothetical speculation. In the access to information context, the department or agency in question would bear the burden of justifying a refusal to disclose, and justification must be more than assertions. Presumably the same standard would apply to proactive disclosure. The law does not require excessive caution.

• In considering the possibility of re-identification, it might also be appropriate to consider how sensitive the personal information would be if re-identification were achieved. In Ministry of Community Safety, the information at risk of disclosure through re-identification was highly sensitive – the location of registered sex offenders. Presumably this might give some an incentive to attempt re-identification, perhaps warranting greater caution in the decision about whether to release the information. Nevertheless, the Commissioner, and ultimately the courts, still required some evidence that re-identification was possible.

A recent decision from the Federal Court of Canada squarely addresses the issue of copyright trolls and the impact they may have on ordinary Internet users. It also highlights the importance of public interest advocacy in a context that is rife with economic and power imbalances.

The Internet is widely used as a source of content – whether it is in the form of film, music, text or visual works. While there is a great deal of content available both free and for a fee from authorized distributors, other content is shared without the consent of copyright holders. Where unauthorized distribution takes place, copyright may be infringed – but of course whether there has been actual infringement by the downstream user may depend upon a range of considerations.

Copyright owners – particularly those in the film and music industries – have for some time now been decrying the widespread unauthorized sharing of content over the Internet. They have also adopted a variety of strategies to impede these activities. These have included suing file-sharing services such as Napster, Grokster or Pirate Bay, with a view to having them shut down, public education campaigns, and threats of legal action or actual law suits against individual downloaders of protected content. It is with respect to this latter category of action that the label “copyright troll” has been used.

In Voltage Pictures LLC v. John Doe and Jane Doe, Prothonotary Aalto of the Federal Court considered an application for an order to compel Internet service provider TekSavvy to disclose the identities of individuals linked to some 2000 IP addresses that in turn had been associated with illegal downloading of Voltage’s copyright protected films. An earlier Federal Court of Appeal decision in a case involving music downloads had outlined the circumstances in which such an order might be granted, taking into consideration the necessary balance between the applicant’s rights and the privacy rights of the individuals linked to IP addresses. Voltage argued that it had met all of the requirements of this test.

The Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, more commonly known as CIPPIC, intervened in this case in the public interest. CIPPIC’s intervention was particularly important given that there was really no other available party to speak out for the interests of the still anonymous Internet users whose identities might be disclosed were an order to be issued. It is clear as well from reading Prothonotary Aalto’s reasons, that CIPPIC’s submissions had a significant impact on the outcome.

The decision begins with a quote from a U.S. case which speaks of the rise of “copyright trolls”, and it is clear that the spectre of such trolls looms over the Federal Court’s decision. The concept of “trolls” has become common in both patent and copyright litigation. In the copyright context, a troll is a plaintiff who files “multitudes of lawsuits solely to extort quick settlements”.[1] Trolling is a business model in its own right – suits are launched not so much in order to deter or to compensate for the harm caused by infringement; rather, trolling generates revenue by compelling individuals to settle for sums that are lower than the cost of obtaining legal advice and pursing a defence to the threatened action. As Prothonotary Aalto noted in his extensive reasons, copyright trolls have been active in other jurisdictions, and courts in both the U.K. and the U.S. have striven to find an appropriate result that protects individuals while recognizing the rights of copyright owners to bring legal action.

Prothonotary Aalto’s decision is, in fact, an exploration of the issues raised and an attempt to find an appropriate balance between the rights of individuals to pursue their online activities without having their identities disclosed to third parties, and the rights of copyright owners to sue for infringing uses of their works. He begins his reasons by considering the test for a Norwich Order laid out by the Federal Court of Appeal in BMG v. John Doe, another case which required the court to balance privacy interests against the rights of copyright holders. Although in Voltage, CIPPIC argued that the threshold for the application of this test was too low, and that parties seeking disclosures of the names of individual Internet users should have to make out a prima facie case of infringement, rather than just a bona fide (good faith) claim, Prothonotary Aalto found that the test set out by the Federal Court of Appeal was both appropriate and applicable. He also found that Voltage had met the prescribed test, ruling that “the enforcement of Voltage’s rights as a copyright holder outweighs the privacy interests of the affected internet users.” (at para 57) He noted, however, that the test left room to consider and to moderate the impact of the order on privacy rights.

There was no evidence in this case that Voltage was a copyright troll. Indeed, Prothonotary Aalto found that Voltage had met its burden of showing that it had a genuine copyright infringement case and that a court order to compel TekSavvy to release the contact information of some of its customers was the only reasonable means of establishing the identities of the alleged infringers. However, he acknowledged evidence and argument by CIPPIC to the effect that there might be technological flaws in the methods used to link IP addresses to downloading activities, such that some IP addresses may have been identified in error. He also accepted that some of the downloading activity might be justifiable under one defense or another. More importantly, perhaps, he was sensitive to the evidence supplied by CIPPIC of copyright troll activities in other jurisdictions and of the concerns of courts in those jurisdictions regarding such practices.

Ultimately, Prothonotary Aalto’s decision seeks to balance the intellectual property rights of the copyright owner with the privacy rights of individuals who might be identified as a result of a court granting a Norwich Order. In his view, it is only in a case where there is “compelling evidence of improper motive on behalf of a plaintiff in seeking to obtain information about alleged infringers” that a court would be justified in refusing to grant such an order. (at para 133) Nevertheless, the court has the authority to place terms and conditions on the grant of the order, and these terms and conditions can protect the privacy of individuals by ensuring that their personal information is not shared or misused by a company that seeks this information for improper purposes, such as copyright trolling.

In issuing the Norwich Order in this case – which compels TekSavvy to furnish the information sought, Prothonotary Aalto placed significant limits on the order. In the first place, Voltage is ordered to compensate TekSavvy for its legal and administrative costs in compiling the requested information. A copy of the court’s order must accompany any correspondence sent to TekSavvy customers by Voltage as a result of the sharing of the customer information. Any such correspondence must also “clearly state in bold type that no Court has yet made a determination that such Subscriber has infringed or is liable in any way for payment of damages.” (clause 8 of the order) This is to avoid the type of demand letter seen in copyright troll cases in other jurisdictions where letters sent to individuals convey the impression that conclusions have already been reached on issues of infringement. As an additional safeguard, Prothonotary Aalto ordered that a draft of any such letter must be reviewed by the Case Management Judge appointed to oversee the process before it is sent to any individuals. The order also provides that the personal information shared by TekSavvy as a result of the order must be kept confidential by Voltage and must not be shared with anyone else – including the general public or the media -- without the court’s permission.

The decision in this case is a welcome one. It reflects a serious effort to ensure fairness and balance between the parties. It provides the applicant with the means to obtain the information it needs to pursue copyright infringement claims; at the same time, it imposes restrictions designed to ensure that the personal information is not used improperly to generate revenue well in excess of any damages suffered by the rights holder by pushing individuals into settlements in order to avoid the costs and stresses of threatened litigation. The decision is a direct result of public interest advocacy and a reminder of the important role played by organizations such as CIPPIC.

It is worth noting that the 2012 amendments to the Copyright Act included changes to the statutory damages provisions in that statute. These provisions allow plaintiffs to opt for a fixed amount of damages in cases of infringement – in other words, to be compensated without having to establish any particular losses. The 2012 amendments drastically reduced the amount of statutory damages that can be awarded against individuals whose infringing activities are essentially non-commercial. This takes away the ability for plaintiffs to stack statutory damages in suits against individual downloaders in order to arrive at the ridiculously high (and ultimately punitive) damage awards that we have seen in the U.S. in lawsuits against students or other private individuals whose downloading was simply for their own consumption. The message from Parliament is clearly that this type of conduct, while still infringing, should not be be exploited by rights holders either to “send messages” or to provide a new business model based on serial demand letters to large numbers of vulnerable individuals. The decision by Prothonotary Aalto is in keeping with this message. While copyright owners are entitled to enforce their rights through the courts, the courts must ensure that “the judicial process is not being used to support a business model intended to coerce innocent individuals to make payments to avoid being sued.” (at para 35)

In the wake of the recent Supreme Court of Canada decision in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, which found Alberta’s private sector data protection statute to be unconstitutional for violating the freedom of expression, the Quebec Court of Appeal has recently released a decision that also examines the relationship between privacy and the freedom of expression.

In 9179-3588 Québec inc. (Institut Drouin) c. Drouin, the appellant company challenged a court order that it cease to distribute information found in the 2003 Quebec electoral list, and that it destroy all data it obtained from that list. The company offers services to those interested in genealogy. In 2005 it began distributing, free of charge and over the internet, a directory which was largely composed of data taken from Quebec’s 2003 electoral list. How this information came into the company’s hands is unknown; the public release of this data by the electoral office was not permitted under its legislation. The information on the list included the names, addresses, gender and age of all persons over the age of 18 living in Quebec in 2003. While this initial online distribution ceased after complaints from Quebec’s electoral office, in 2006 the company began selling a version of the directory. Quebec’s electoral office took legal action to stop any further distribution of the information and to attempt to recover the copies of the directory that had been sold. They were successful at first instance, leading to an appeal before the Quebec Court of Appeal.

The appellant company argued on appeal that its constitutional rights to freedom of expression were violated by the court order that prevented its distribution of the information. It also argued that the information at issue was essentially public in character, and that an exception in the province’s private sector data protection legislation permitted the distribution of such information.

Justice Dalphond, writing for the unanimous court, began by outlining the protection available under Quebec’s Election Act. The Act specifically provides that the electoral list is confidential, and that the information relating to voters is not public information within the meaning of the province’s access to information legislation. In rejecting the argument that the information was public in character, Justice Dalphond relied not only on the terms of the Election Act, but also on the fact that the kind of information provided in the list is such that it could allow others to draw inferences about the social status (for example, elderly persons living alone), economic status, sexual orientation, or even the number of persons living in a single home. The Court found that this information that could be derived from the list was not public in character.

Quebec’s private sector data protection legislation contains an exception for the free dissemination of information – similar in purpose, though quite different in wording, to that which posed a problem in the United Food and Commercial Workers case. The Quebec statute provides that it does not apply “to journalistic, historical or genealogical material collected, held, used or communicated for the legitimate information of the public.” The appellant argued that as a private sector corporation, this provision left it free to disseminate the electoral information. The Court of Appeal disagreed. Justice Dalphond observed that the private sector data protection statute was not meant to override privacy protections available under other statute. In this case, the specific provisions in the Election Act that prohibited the distribution of the information took precedence, as clearly set out in s. 94 of the Election Act.

The appellant company next argued that its freedom of expression was being unduly limited by the bar on distribution of the information. In this case, the information should not ever have come into the company’s hands – information had somehow been illegally shared. However, the court noted that the fact of an initial improper leak did not limit freedom of expression rights. It compared the situation to the journalism context, where journalists are bound by their own obligations of confidentiality, but are not limited in the distribution of information that has provided to them by sources who themselves have breached obligations of confidentiality. Justice Dalphond noted that such leaks are often of great public interest, and he concluded that the fact that the source might have illegally shared the information does not prevent the recipient from relying upon the Charter guarantee of freedom of expression.

Because the Election Act prohibits anyone from disclosing the information on the electoral list, the Court next considered whether this prohibition violated the freedom of expression. It found that the distribution of information relevant to genealogical inquiries was protected expression. However, because the disclosed information was also personal information, the right to freedom of expression had to be balanced against privacy rights which were quasi-constitutional in character. The court found that the protection of privacy was a pressing and substantial issue, and that the ban on using the information was rationally connected to the goal of privacy protection. It also found that the prohibition on using the information was minimally impairing given that the distribution of the information by a third party would completely strip individuals of any control over the personal information that they had provided to the government under a guarantee that the information would be kept confidential and that it would be used only for electoral purposes. The Court concluded that these measures were proportional to the objective, and noted that the result was not a ban on the practice of genealogy – it merely required those seeking their origins to rely on other databases and data sources. The Court concluded that there was no violation of freedom of expression in prohibiting the dissemination of the information, as any limit was justifiable in a free and democratic society.

The Supreme Court of Canada has struck down Alberta’s Personal Information Protection Act (PIPA), on the grounds that it violates the guarantee of freedom of expression in the Canadian Charter of Rights and Freedom. The invalidation of the legislation has been suspended for 12 months to give the Alberta government time to amend the legislation so as to bring it into compliance with the Charter.

The conflict between privacy rights and the freedom of expression in Information and Privacy Commissioner of Alberta v. United Food and Commercial Workers, Local 401 arose after an adjudicator under PIPA ruled that the Union’s practice of taking photographs and videotapes of people crossing its picket line during a labour dispute – and of using some of the footage on its website – contravened the data protection statute. Judges at the Alberta Court of Queen’s Bench and the Alberta Court of Appeal had found that to the extent that PIPA restrained the ability of the Union to collect, use and disclose personal information in relation to a labour dispute it violated the Union’s freedom of expression. Although the statute contains a series of exceptions that cover a range of circumstances, none of these exceptions were available to the Union. Some of these exceptions were specifically crafted to balance privacy rights with the freedom of expression, but the exceptions for material collected, used or disclosed “for journalistic purposes and for no other purpose” or “for artistic or literary purposes and for no other purpose” were found not to apply to the Union’s activities. As a result, the limitation on the freedom of expression was not mitigated, and the legislation was found to contravene the Charter.

In substance, the Supreme Court of Canada was of much the same view as the courts below. Emphasizing the importance of freedom of expression in the labour relations context, Justices Abella and Cromwell, for a unanimous court, found that the private sector data protection statute did not properly balance this freedom with privacy rights.

In reaching their decision, Justices Abella and Cromwell emphasized the quasi-constitutional nature of data protection legislation “because of the fundamental role privacy plays in the preservation of a free and democratic society.” (at para 19) The Court also emphasized that control over one’s personal information was of central importance to the human values of autonomy, dignity and privacy. While the court has made statements of this nature before, it is important to hear them used in relation to private sector data protection legislation.

However, the Court criticized PIPA for limiting the collection, use and disclosure of personal information, other than with consent, “without regard for the nature of the personal information, the purpose for which it is collected, used or disclosed, and the situational context for that information.” (para 25). While this may be true in the particular factual context of this case (in other words, there is no exception tailored to the labour relations context) it is not true generally, as PIPA does indeed include a raft of exceptions to the consent principle that are tailored to a wide range of contexts, including investigations, audits, archival purposes, and so on. There are also the above-noted exceptions for journalistic, artistic or literary purposes, and further exceptions for information collected for purely private or domestic purposes. The flaw, it would seem, is that PIPA does not contain an exception crafted to deal with the labour relations context. This is supported by the Court’s statement that “the Act does not include any mechanisms by which a union’s constitutional right to freedom of expression may be balanced with the interests protected by the legislation.” (at para 25) Later in the decision the Court states that “[t]o the extent that PIPA restricted the Union’s collection, use and disclosure of personal information for legitimate labour relations purposes, the Act violates s. 2(b) of the Charter and cannot be justified under s. 1.” (at para 38) It would appear, then, that the constitutional violation is narrowly cast; a fairly straightforward way for the legislature to respond to the Court’s decision would be to craft an exception specifically for the labour relations context.

It is worth noting that the Court also specifies that PIPA is “considerably broader” in scope than the federal private data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). This is because PIPEDA applies only to the collection, use or disclosure of personal information in the course of commercial activity. Thus it would not have applied in the circumstances of this case. PIPA, by contrast, applies to organizations engaged in a much broader range of activities; its application specifically extends to trade unions. The distinction is important: in the unlikely event that the Alberta government does not act to save its legislation, PIPEDA would fill the gap left by PIPA’s invalidation, and would apply to private sector data collection, use and disclosure in the course of commercial activity in Alberta. The distinction also suggests that PIPEDA itself is not at risk of being found unconstitutional on these grounds, and that Parliament need not act to save it from such peril. This is just as well, since Parliament’s inability or unwillingness to reform PIPEDA is by now well-established.

It is noteworthy that the Court states that “[i]t goes without saying that by appearing in public, an individual does not automatically forfeit his or her interest in retaining control over the personal information which is thereby exposed.” (at para 27). It is not to be assumed that this goes without saying. For example, in the Leon’s Furniture decision from the Alberta Court of Appeal, for which leave to appeal to the Supreme Court of Canada was refused, the majority of the Court of Appeal had appeared to find a correlation between private and personal information, suggesting that information in public view was somehow exempt from the reach of data protection legislation. The affirmation by the Supreme Court of Canada that information in public can still be personal information is more important than the Court lets on.

The decision in this case raises issues for British Columbia’s Personal Information Protection Act, which, like its Alberta counterpart, applies to trade unions. It will also have implications for the newly enacted, though not yet in force, Personal Information Protection and Identity Theft Prevention Act in Manitoba. This statute, which has other issues, also extends in its application to unions. The BC and Manitoba legislatures may thus also need to turn their attention to crafting an exception relating to the application of the statute to the labour relations context.

A recent decision of the Federal Court of Canada may demonstrate a new willingness to give greater bite to the rather limited recourses available under federal data protection legislation for privacy breaches.

A chronic problem with private sector data protection law in Canada has been the rather impoverished remedial arsenal available to address privacy breaches. In those contexts where the Personal Information Protection and Electronic Documents Act (PIPEDA) applies, for example, the Federal Privacy Commissioner plays the role of an ombud. She is able to investigate complaints and to make recommendations, but has no order-making powers. She has recommended that PIPEDA be amended not only to give her such powers, but also to enable her to impose fines on organizations in cases of egregious privacy breaches. Parliament, however, has shown little interest in amending PIPEDA to address these and other concerns.

Absent any real enforcement powers in the hands of the Privacy Commissioner, individuals who have filed complaints under PIPEDA receive a report on the investigation of their complaint, complete with non-binding recommendations. Should they wish to see these recommendations enforced by court order, or should they wish to receive compensation for any damage they have suffered, they must take the matter to Federal Court. To date, relatively few have chosen this option, all have been unrepresented, and only a handful have been successful in obtaining damage awards. Where damages have been awarded, the amounts have been relatively small.

This is why the recent decision in Chitraker v. Bell TV is interesting. In this case, the applicant sought damages for breaches of Bell TV’s legal obligations under PIPEDA. Chitraker had ordered satellite TV service from Bell, and had signed an electronic Proof of Delivery Device when the service was installed in his home. Bell TV then lifted the signature from this device, without Chitraker’s knowledge, and affixed his signature to a contract. Chitraker had not been given a copy of this contract. Among other things, the contract provided that the customer consents to Bell TV performing a credit check. Relying on this clause, Bell accessed Chitraker’s credit history without his actual knowledge or consent. When he later learned of this, Chitraker contacted Bell to begin what turned out to be a long and fruitless customer service runaround. The most he received from Bell was an apology left in his voicemail. Chitraker eventually filed a Complaint with the Office of the Privacy Commissioner of Canada (OPC). The complaint was investigated, ruled well-founded, and recommendations were made to allow Bell to bring itself into compliance with the law. Chitraker then took the matter to the Federal Court, seeking compensatory and aggravated damages for the breach of his privacy rights, and for Bell TV’s “malicious and high-handed conduct” (at para 1).

As is typical in these cases, Chitraker represented himself before the Federal Court. Less typical was Bell TV’s failure to respond to the applicaton. Justice Phelan noted that this “failure to appear in this Court is consistent with its disregard of Chitraker’s privacy rights.”(at para 18). He also noted that without any submissions from Bell it was impossible to know whether the company had implemented any of the OPC’s recommendations.

Justice Phelan was critical of Bell’s failure to compensate Chitraker for what he considered to be a significant breach of his privacy rights, and one that might have had actual adverse consequences for him. He noted that Bell took no steps “to compensate for breach of Chitraker’s privacy rights” (para 22). This wording is interesting since there is nothing in the Act which speaks of an obligation to “compensate”. For the most part, PIPEDA is currently oriented towards correcting improper business practices. Certainly in this case, the court was critical of Bell’s apparent lack of interest in doing even this much; nevertheless, the language used may signal a greater openness to actual compensation for harm suffered. In spite of the lack of evidence of any direct loss suffered by Chitraker, Justice Phalen was prepared to award damages, noting that “there is no reason to require that the violation be egregious before damages will be awarded.” (para 24) This is a most noteworthy departure from earlier case law. For example, in Randall v. Nubody’s Fitness Centres, Justice Mosely of the same court had ruled that a damage award “should not be made lightly and that such an award should only be made in the most egregious situations”. This point was also cited by the Federal Court in another decision, Nammo v. TransUnion of Canada Inc. In Nammo, the first case in which a damages award was made under s. 16 of PIPEDA, the court had awarded $5,000 for what the court clearly felt qualified as an “egregious” situation.

In Chitraker, Justice Phelan emphasized the importance of privacy rights “in an era where information on an individual is so readily available even without consent.” (at para 25) He also took into account the nature of the respondent, noting that “Bell is a large company for whom a small damages award would have little material impact.” In a notable departure from the rather stingy approach of the court in Nammo, Justice Phelan awarded Chitraker $10,000 in damages, with an additional $10,000 in exemplary damages and a further $1,000 in costs. Although the elevated damage award in this case no doubt reflects the particular circumstances, including Bell’s apparent disinterest in addressing the privacy concerns, it does mark an important departure from the Federal Court’s previous approach to damages under PIPEDA.

The Manitoba government has recently enacted the Personal Information Protection and Identity Theft Protection Act (PIPITPA), which has yet to come into force. This statute is private sector data protection legislation which will is presumably intended to apply in place of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) to private sector activity within provincial jurisdiction. In order to effectively substitute for the application of PIPEDA, the PIPITPA would need to be declared by the federal Governor-in-Council to be substantially similar to PIPEDA. If Manitoba were to be successful, it would join the ranks of Alberta, British Columbia and Quebec as a province with legislation that is substantially similar to PIPEDA. However, as I will explain below, this may be a difficult case to make.

In terms of the substantive norms that guide the collection, use or disclosure of personal information, the Manitoba legislation draws heavily upon Alberta’s Personal Information Protection Act (PIPA). Indeed, many of the provisions of PIPITPA are taken word for word from the Alberta statute. There are, however, some differences. Unlike PIPA, PIPITPA does not create distinct obligations to notify individuals when they outsource the processing or storage of their personal information to a company in another country (see art. 6(2) of PIPA). Neither does PIPITPA require notification of individuals when an organization uses an offshore service provider to collect personal information, or where it transfers personal information to an offshore company (PIPA s. 13.1). The obligations in PIPITPA regarding personal employee information are also slightly different from those in PIPA; they seem to be somewhat more permissive (although such protections are notably absent under PIPEDA). Perhaps one of the most significant substantive differences relates to the date breach notification requirements. Alberta’s PIPA requires the Commissioner to be notified by an organization where there has been unauthorized access to or disclosure of personal information. The Commissioner may then require the organization to notify affected individuals where “there is a real risk of significant harm as a result of the loss or unauthorized access.” Under Manitoba’s new legislation, an organization must “as soon as is reasonably practicable”, notify any individual if their personal information that has been in the custody or control of the organization “is stolen, lost or accessed in an unauthorized manner.” The organization is not required to make such a notification if it is “satisfied that it is not reasonably possible for the personal information to be used unlawfully.” (art. 34) The difference is important: under Alberta’s statute, the Commissioner, at arm’s length, makes the call as to whether notification is required; under the Manitoba legislation it is the organization, facing embarrassment or even possible legal action, that gets to decide whether individuals should be told of the mishandling of their personal information.

The most significant difference between the Manitoba legislation and both PIPEDA and its substantially similar counterparts relates to oversight and enforcement. The Manitoba Ombudsman is given extremely limited oversight powers under the legislation, and there is no mechanism through which the public can make complaints regarding the handling of their personal information by private sector organizations. Instead, the Manitoba legislation offers only judicial recourse. For example, individuals are given a right of action in a court of competent jurisdiction where an organization has failed to take proper care of information under its control, or for failure in its duty to notify of a significant security breach in respect of personal information. The Act also provides that it is an offence to willfully collect, use or disclose personal information in contravention of the Act, to wilfully attempt to access personal information, or to dispose, alter, falsify, conceal or disclose personal information in order to evade a request for access. These offences require the acts to be willful, setting a rather high threshold. The legislation provides a defense where the organization is considered to have “acted reasonably in the circumstances.” The mens rea requirement will likely make prosecutions rare; in any event, they will be beyond the power of individuals to initiate and pursue on their own. Without a complaint mechanism and without the power to control prosecutions of offenses, the individual is left with no other option but to take an organization to court. As we have seen with court actions under PIPEDA, the damage awards are typically too low to make this kind of recourse practicable. An individual who is willing to take the time and effort to represent themselves in small claims court might walk away with a few dollars, but for many types of mishandling of personal information a complaints mechanism would be far more effective in guiding an organization to modify its practices while at the same time reassuring individuals that something has been done to rectify the problem.

The lack of effective oversight and the lack of an accessible complaints mechanism, in my view make this legislation very far from being substantially similar to PIPEDA. Basic normative requirements are essentially meaningless without appropriate oversight. It is worth noting that even with PIPEDA’s much more significant oversight provisions, the Privacy Commissioner of Canada has grown frustrated with the limits of her own lack of order-making powers under PIPEDA, and with the lack of additional powers to impose fines or penalties in appropriate circumstances. The Manitoba legislation is a long way from what should be required of a province that wishes to remove its private sector organizations out from under the reach of PIPEDA.

My colleague Michael Deturbide and I are very honoured to have been awarded the 2013 Walter Owen Book Prize for our new book Electronic Commerce and Internet Law in Canada, published by Wolters Kluwer (CCH). We are very grateful to the Foundation for Legal Research, which awards this prize, and which also has been a strong pillar of support for legal research in Canada.

Is there any such thing as a free app? In Albilia v. Apple inc, Justice Pierre Nollet of the Quebec Superior Court authorized a class action law suit against Apple in relation to the collection of personal information by third party application (app) developers via Apple devices such as the iPhone and the iPad.

The petitioner alleges that Apple encourages and supports the development of third party apps as a means of bolstering the popularity and sales of its devices. He also alleges that Apple permits third party app developers to harvest personal the information of users from their devices without their knowledge or consent. In particular, he alleges that such information may include precise location information, the unique device identifier, the user’s name, gender, age, postal code and time zone, information about activities performed using the app. He also alleges that this ongoing harvesting of personal information uses up the resources of the devices without the permission of the device owners. The class action is similar to two others that have been filed in the United States against Apple.

Although the petitioner initially sought to certify a Canada-wide class of affected persons, the judge limited the class to Quebec residents. He did so because the petitioner had failed to establish that the laws in relation to privacy across Canada were equivalent to those in Quebec. Indeed, although there are some similarities, it is fair to say that both the Civil Code of Quebec and the Quebec Charter of Human Rights and Freedoms offer both different and quite likely more extensive protection for privacy than do the laws in the common law provinces and territories.

Justice Nollet ultimately certified two classes for the law suit. The first consists of:

all residents in Quebec who have purchased or otherwise acquired an iPhone or iPad (“iDevice”) and who have downloaded free Apps from the App Store onto their iDevices since December 1, 2008 through to the present.

A second class relates specifically to concerns about the collection of geolocation information. This class consists of:

all residents in Quebec who have purchased or otherwise acquired an iPhone and turned Location Services off on their iPhones prior to April 27, 2011 and have unwittingly, and without notice or consent transmitted location data to Respondents’ servers.

The questions to be explored in the class action law suit include issues regarding whether the respondent Apple facilitated profiling of individual users or disclosed personal information without users’ consent to third party app developers. Other issues include whether location information could be collected from devices even after the location services functions are turned off by the user. The litigation also involves issues relating to consent by users to information gathering practices by both Apple and app developers. In bringing his motion the petitioner referred to a recent study by Eric Smith that detailed the information collecting practices of iPhone apps.

The collection of personal information from mobile devices – including data about a user’s online activities and detailed location information – raises significant privacy concerns. Many “free” apps may use information gathering as a means of generating a revenue stream; the information gathered may have nothing to do with the functions of the app itself. Users of mobile devices may not be sufficiently aware of the detailed location information that can be collected and shared when the location functions of their device are turned on; alternatively, they may turn these functions on specifically to enable certain useful features of their device without realizing that the same information may also be collected and used by apps whose functions are completely unrelated to their location. As with many other contexts, the user who downloads apps may have little time or attention to allocate to reading the detailed user agreements and privacy policies that may accompany their new apps. While courts may continue to insist that users are bound by these agreements, there is a growing concern that the sheer number, complexity and length of such agreements makes informed consumer consent virtually impossible on a consistent basis.

Class action law suits advance with glacial speed, and it is not likely that the questions raised in this dispute will be answered any time soon. Yet it is important that they be asked both here and in other contexts. The burden of privacy, in particular of protecting one’s personal information from unwanted profiling and surveillance, is becoming increasingly challenging for individuals. Not only is it difficult to grasp the full range of information that is being collected, by whom, and for what purposes, as we engage in perfectly ordinary day-to-day activities, secondary access to this information by third parties, including police and other state authorities is not at all transparent. In addition to greater scrutiny of data collection practices, attention must also be paid to the issue of consent, which is increasingly becoming a fiction in the face of turgid and impenetrable legal texts accompanying every small piece of software in our lives.

Canada’s Privacy Commissioner, Jennifer Stoddart, along a number of her international counterparts and the commissioners of B.C., Quebec and Alberta have issued a joint letter written to the CEO of Google raising concerns about privacy in relation to Google Glass. This product, still at the beta stage, consists of a kind of interactive mobile computer worn as eyeglasses. Among other things, the glasses have the capacity to record audio and video data, and will be able to run all manner of third party applications.

The Commissioners are justifiably concerned about a product that once launched might raise a host of new and troubling privacy issues. In the letter they call on Google to enter into a dialogue with data protection commissioners with a view to ensuring that the design of the product and of its applications respects privacy values.

What is interesting in this letter is the frank admission by the commissioners of their own precarious jurisdiction when it comes to this technology. While there is no doubt that Google Glass poses significant privacy risks, they are not necessarily ones which would fall within the scope of private sector data protection laws in Canada. These laws generally apply to organizations that collect, use and disclose personal information in the course of commercial activity. Certainly, some of the concerns raised in the letter fall within the scope of these laws. For example, the Commissioners demand to know what information Google might itself collect via Glass when it is in use by individuals. They also seek to know what information will be shared with third parties, including the developers of apps for this product. These are clearly questions that fall within the scope of data protection legislation, as Google is clearly an organization that collects, uses and discloses personal information in the course of commercial activity.

However, Glass will also have privacy implications as between the wearers of the technology and those persons who may fall within the field of view of the user. The Commissioners specifically address the use of this product to surreptitiously film or record individuals. This is a serious privacy concern. It is one that is already raised by the recording capacity of smartphones and tablets; the particular concern with Glass is that it will be possible to be even more surreptitious in making such recordings. Yet the privacy issues raised by this type of activity are not ones to which private sector data protection legislation would apply. For example, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) specifically does not apply to “any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose.” The scope of this exception is potentially very broad; the law would not apply, for example, to recordings made by individuals and posted to their Facebook accounts or to YouTube.

The Commissioners, of course, are well aware of this gap in their powers. In their letter they explicitly acknowledge it: “We are aware that these questions relate to issues that fall squarely within our purview as data protection commissioners, as well as to other broader, ethical issues that arise from wearable computing.” Nevertheless, they use the opportunity presented by the privacy issues within their mandates to raise the “broader ethical issues”.

This gap in jurisdiction over privacy is of growing importance. Where once high powered technologies of surveillance were only affordable by professionals, low cost, high powered technology is increasingly moving into the hands of ordinary individuals. In addition, the ability to disseminate audio and video recordings to a global audience – also something that was once only within the powers of established private sector corporations – is now something that can be done by any individual with an internet connection. As the corporate intermediaries become obsolete, so too do data protection laws that are framed exclusively around private sector actors engaged in commercial activity. The appropriate legislative response is not clear; legislated limits on how individuals can interact with and communicate information about themselves and their experiences would raise significant freedom of expression issues.

The data commissioners’ letter to Google is thus most interesting. Acknowledging both the limits of their powers and the enormous gap in the protection of the public in a rapidly changing information technology environment, they have chosen to publicly raise both privacy and ethical issues with Google. Law- and policy-makers should be watching and should be thinking about how this gap should be filled.

The US government is in damage control mode after it was leaked to the press this week that it had established a massive surveillance program under which it obtained comprehensive communications data from telecommunications and technology companies. Privacy advocates have decried this secret and massive data mining exercise.

Canadians should not sit back complacently to watch this unfolding spectacle south of the border. It was only last year that our own government tried to introduce legislation that would have provided for the building of the physical and legal infrastructure for substantially increased Internet surveillance. Although Bill C-30 was ultimately defeated, there are nonetheless other laws already on the books that leave Canadians vulnerable to unwarranted and invisible surveillance. For years privacy advocates in Canada have been warning of legal provisions that allow police and national security agencies to seek personal information from private sector companies, and that allow these companies to hand over this information without a court order and with no accountability.

The first of these provisions is s. 7(3)(c.1) of the Personal Information Protection and Electronic Documents Act, which provides that an organization “may disclose personal information without the knowledge or consent of the individual” where the disclosure is made to a government actor that has made a request for the information, and has indicated that the information may be related to national security issues, may be relevant to an investigation related to the enforcement of any law, or is sought for the purpose of “administering” any federal or provincial law.

The second provision is s. 487.014 of the Criminal Code, which provides that no court order is required for a law enforcement official “to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.” In other words, as long as no other law prohibits such a disclosure, the information may simply be handed over.

Both PIPEDA and the Criminal Code permit private sector companies in Canada to voluntarily disclose the personal information of their customers to police officers or national security officials without the knowledge or consent of the individuals in question, and without an order from a judge. Companies may still refuse to make such disclosures without being ordered to do so by a court, and while some do in some circumstances, plenty of others do not. According to the federal Privacy Commissioner, “We have no way of knowing for certain the number, scale, frequency of, or reasons for, such disclosures although we understand that they are substantial.”(The Case for Reforming the Personal Information Protection and Electronic Documents Act at p. 13). Nothing obliges companies to disclose to the public how many requests for information they receive or with how many they have voluntarily complied. Similarly, nothing obliges public authorities to disclose how many requests they make, to what companies, or for what types of information.

Given the vast amounts of personal information of increasingly fine detail that private sector companies collect about all of us, this should be a matter of some concern. Telecommunications companies can match our personal information to IP addresses, which in turn can be linked to all of our online activities. Telecommunications companies also have rich stores of data regarding our calling activities; in the case of smart phones, this information may also include fine-grained location information. Other companies gather our location information, as well as information about our purchases, transactions, conversations, friends, associates and activities. These vast stores of information in the private sector may be simply a request away from disclosure to authorities – and we may never know just how much information is being shared or in what circumstances.

In response to this highly troubling set of circumstances, the federal Privacy Commissioner, Jennifer Stoddart, recently called for reforms to PIPEDA that would impose some level of accountability where public authorities access information in this manner. In a document titled The Case for Reforming the Personal Information Protection and Electronic Documents Act the Commissioner recommended that the law be amended to require private sector organizations “to publicly report on the number of disclosures they make to law enforcement under paragraph 7(3)(c.1), without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception.”

This call for greater transparency in determining just how often the personal information of Canadians is disclosed to government authorities without the knowledge or consent of the individual and without judicial authorization is well-timed. As disturbing as the news of the US surveillance program is, we should not lose sight of the fact that there are vast personal information resources that sit within easy reach of our own government and its officials – and that there are laws currently on the books that facilitate easy and virtually traceless access to it.