Teresa Scassa - Blog

On July 31, 2019 the Ontario Government released a discussion paper titled Promoting Trust and Confidence in Ontario’s Data Economy. This is the first in a planned series of discussion papers related to the province’s ongoing Data Strategy consultation. This particular document focuses on the first pillar of the strategy: Promoting Trust and Confidence. The other pillars are: Creating Economic Benefit; and Enabling Better, Smarter Government. The entire consultation process is moving at lightning speed. The government plans to have a final data strategy in place by the end of this calendar year.

My first comment on the document is about timing. A release on July 31, with comments due by September 6, means that it hits both peak vacation season and mad back to school rush. This is not ideal for gathering feedback on such an important set of issues. A further timing issue is the release of this document and the call for comments before the other discussion papers are available. The result is a discussion paper that considers trust and confidence in a policy vacuum, even though it makes general reference to some pretty big planned changes to how the public sector will handle Ontarians’ personal information as well as planned new measures to enable businesses to derive economic benefit from data. It would have been very useful to have detailed information about what the government is thinking about doing on these two fronts before being asked what would ensure ongoing trust and confidence in the collection, use and disclosure of Ontarians’ data. Of course, this assumes that the other two discussion documents will contain these details – they might not.

My second comment is about the generality of this document. This is not a consultation paper that proposes a particular course of action and seeks input or comment. It describes the current data context in broad terms and asks questions that are very general and open-ended. Here are a couple of examples: “How can the province help businesses – particularly small and medium-sized businesses – better protect their consumers’ data and use data-driven practices responsibly?” “How can the province build capacity and promote culture change concerning privacy and data protection throughout the public sector (e.g., through training, myth-busting, new guidance and resources for public agencies)?” It’s not that the questions are bad ones – most of them are important, challenging and worth thinking about. But they are each potentially huge in scope. Keep in mind that the Data Strategy that these questions are meant to inform is to be released before the end of 2019. It is hard to believe that anything much could be done with responses to such broad questions other than to distil general statements in support of a strategy that must already be close to draft stage.

That doesn’t mean that there are not a few interesting nuggets to mine from within the document. Currently, private sector data protection in Ontario is governed by the federal Personal Information Protection and Electronic Documents Act. This is because, unlike Alberta, B.C. and Quebec, Ontario has not enacted a substantially similar private sector data protection law. Is it planning to? It is not clear from this document, but there are hints that it might be. The paper states that it is important to “[c]larify and strengthen Ontario’s jurisdiction and the application of provincial and federal laws over data collected from Ontarians.” (at p. 13) One of the discussion questions is “How can Ontario promote privacy protective practices throughout the private sector, building on the principles underlying the federal government’s private sector privacy legislation (the Personal Information Protection and Electronic Documents Act)?” Keep in mind that a private member’s bill was introduced by a Liberal backbencher just before the last election that set out a private sector data protection law for Ontario. There’s a draft text already out there.

Given that this is a data strategy document for a government that is already planning to make major changes to how public sector data is handled, there are a surprising number of references to the private sector. For example, in the section on threats and risks of data-driven practices, there are three examples of data breaches, theft and misuse – none of which are from Ontario’s public sector. This might support the theory that private sector data protection legislation is in the offing. On the other hand, Ontario has jurisdiction over consumer protection; individuals are repeatedly referred to as “consumers” in the document. It may be that changes are being contemplated to consumer protection legislation, particularly in areas such as behavioural manipulation, and algorithmic bias and discrimination. Another question hints at possible action around online consumer contracts. These would all be interesting developments.

There is a strange tension between public and private sectors in the document. Most examples of problems, breaches, and technological challenges are from the private sector, while the document remains very cagey about the public sector. It is this cageyness about the public sector that is most disappointing. The government has already taken some pretty serious steps on the road to its digital strategy. For example, it is in the process of unrolling much broader sharing of personal information across the public sector through amendments to the Freedom of Information and Protection of Privacy Act passed shortly after the election. These will take effect once data standards are in place (my earlier post on these amendments is here). The same bill enacted the Simpler, Faster, Better, Services Act. This too awaits regulations setting standards before it takes effect (my earlier post on this statute is here). These laws were passed under the public radar because they were rushed through in an omnibus budget bill and with little debate. It would be good to have a clear, straightforward document from the government that outlines what it plans to do under both of these new initiatives and what it will mean for Ontarians and their personal data. Details of this kind would be very helpful in allowing Ontarians to make informed comments on trust and confidence. For example, the question “What digital and data-related threats to human rights and civil liberties pose the greatest risk for Ontarians” (p. 14) might receive different answers if readers were prompted to think more specifically about the plans for greater sharing of personal data across government, and a more permissive approach to disclosures for investigatory purposes (see my post on this issue here).

The discussion questions are organized by category. Interestingly, there is a separate category for ‘Privacy, Data Protection and Data Governance’. That’s fine – but consider that there is a later category titled Human Rights and Civil Liberties. Those of us who think privacy is a human right might find this odd. It is also odd that the human rights/civil liberties discussion is separated from data governance since they are surely related. It is perhaps wrong to read too much into this, since the document was no doubt drafted quickly. But thinking about privacy as a human right is important. The document’s focus on trust and confidence seems to relegate privacy to a lower status. It states: “A loss of trust reduces people’s willingness to share data or give social license for its use. Likewise, diminishing confidence impedes the creative risk-taking at the heart of experimentation, innovation and investment.” (at p. 8) In this plan, protection of privacy is about ensuring trust which will in turn foster a thriving data economy. The fundamental question at the heart of this document is thus not: ‘what measures should be taken to ensure that fundamental values are protected and respected in a digital economy and society”. Rather, it is: ‘What will it take to make you feel ok about sharing large quantities of personal information with business and government to drive the economy and administrative efficiencies?’ This may seem like nitpicking, but keep in mind that the description of the ‘Promoting Trust and Confidence’ pillar promises “world-leading, best-in-class protections that benefits the public and ensures public trust and confidence in the data economy” (page 4). Right now, Europe’s GDPR offers the world-leading, best-in-class protections. It does so because it treats privacy as a human right and puts the protection of this and other human rights and civil liberties at the fore. A process that puts feeling ok about sharing lots of data at the forefront won’t keep pace.

On May 21, 2019, Canada’s federal government launched its Digital Charter, along with several other supporting documents, including its action plan for the Charter and proposals for modernizing the Personal Information Protection and Electronic Documents Act (PIPEDA). Together, the documents discuss the outcomes of the recent federal digital strategy consultation and chart a path forward for federal policy in this area. The documents reflect areas where the government is already forging ahead, and they touch on a number of issues that have been at the centre of media attention, as well as public and private sector engagement.

As a strategy document (which, launched less than six months away from an election, it essentially is) the Digital Charter hits many of the right notes, and its accompanying documentation reveals enough work already underway to give shape to its vision and future directions. Navdeep Bains, the Minister of Innovation, Science and Economic Development, describes the Digital Charter as articulating principles that “are the foundation for a made in Canada digital approach that will guide our policy thinking and actions and will help to build an innovative, people-centred and inclusive digital and data economy.”

The Digital Charter features 10 basic principles. Three relate to digital infrastructure: universal access to digital services; safety and security; and open and modern digital government. Another three touch on human rights issues: data and digital for good; strong democracy; and freedom from hate and violent extremism. Two principles address data protection concerns: control and consent; and transparency, portability and interoperability — although the latter principle blends into the marketplace and competition concerns that are also reflected in the principle of ensuring a level playing field. Perhaps the most significant principle in terms of impact is the tenth, an overarching commitment to strong enforcement and real accountability. Weak enforcement has undermined many of our existing laws that apply in the digital context, and without enforcement or accountability, there is little hope for a credible strategy. Taken together, the 10 principles reflect a careful and thorough synthesis of some of the issues confronting Canada’s digital future.

Yet, this digital charter might more accurately be described as a digital chart. In essence, it is an action plan, and while it is both credible and ambitious, it is not a true charter. A charter is a document that creates legal rights and entitlements. The Digital Charter does not. Its principles are framed in terms of open-ended goals: “Canadians will have control over what data they are sharing,” “All Canadians will have equal opportunity to participate in the digital world,” or “Canadians can expect that digital platforms will not foster or disseminate hate, violent extremism or criminal content.” Some of the principles reflect government commitments: “The Government of Canada will ensure the ethical use of data.” But saying that some can “expect” something is different from saying they have a right to it.

The goals and commitments in the Digital Charter are far from concrete. That is fair enough — these are complex issues — but concepts such as universal digital access and PIPEDA reform have been under discussion for a long time now with no real movement. A chart shows us the way, but it does not guarantee we’ll arrive at the destination.

It is interesting to note as well that privacy as a right is not squarely a part of the Digital Charter. Although privacy has (deservedly) been a high-profile issue in the wake of the Cambridge Analytica scandal and the controversies over Sidewalk Labs’ proposed smart city development in Toronto, this Digital Charter does not proclaim a right to privacy. A right to be free from unjustified surveillance (by public or private sector actors) would be a strong statement of principle. An affirmation of the importance of privacy in supporting human autonomy and dignity would also acknowledge the fundamental importance of privacy, particularly as our digital economy plows forward. The Digital Charter does address data protection, stating that Canadians will have control over the data they share and will “know that their privacy is protected.” They will also have “clear and manageable access to their personal data.” While these are important data protection goals, they are process-related commitments and are aimed at fostering trust for the purpose of data sharing.

Indeed, trust is at the the core of the government strategy. Minister Bains makes it clear that, in his view, “innovation is not possible without trust.” Further, “trust and privacy are key to ensuring a strong, competitive economy and building a more inclusive, prosperous Canada.”

Privacy, however, is the human right; trust is how data protection measures are made palatable to the commercial sector. Trust is about relationships — in this case, between individuals and businesses and, to some extent, between individuals and governments. In these relationships, there is a disparity of power that leaves individuals vulnerable to exploitation and abuse. A trust-oriented framework encourages individuals to interact with businesses and government — to share their data in order to fuel the data economy. This is perhaps the core conundrum in creating digital policy in a rapidly shifting and evolving global digital economy: the perceived tension between protecting human rights and values on the one hand, and fostering a competitive and innovative business sector on the other. In a context of enormous imbalance of power, trust that is not backed up by strong, enforceable measures grounded in human rights principles is a flimsy thing indeed.

And this, in a nutshell, is the central flaw in an otherwise promising Digital Charter. As a road map for future government action, it is ambitious and interesting. It builds on policies and actions that are already underway, and sets a clear direction for tackling the many challenges faced by Canada and Canadians in the digital age. It presents a pre-election digital strategy that is in tune with many of the current concerns of both citizens and businesses. As a charter, however, it falls short of grounding the commitments in basic rights and enshrining values for our digital future. That, perhaps, is a tall order and it may be that a transparent set of principles designed to guide government law and policy making is as much as we can expect at this stage. But calling it a Charter misleads, and creates the impression that we have done the hard work of articulating and framing the core human rights values that should set the foundational rules for the digital society we are building.

On April 25 the federal Privacy Commissioner and the Privacy Commissioner of British Columbia released a joint Report of Findings in an investigation into Facebook’s handling of personal information in relation to the Cambridge Analytica scandal. Not surprisingly, the report found that Facebook was in breach of a number of different obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). Somewhat more surprisingly, the Report also finds that the corresponding obligations under BC’s Personal Information Protection Act (PIPA) were also breached. The Report criticizes Facebook for being less than fully cooperative in the investigation. It also notes that Facebook has disputed the Commissioners’ findings and many of their recommendations. The Report concludes by stating that each Commissioner will “proceed to address the unresolved issues in accordance with our authorities” under their respective statutes. Since the federal Commissioner has no order-making powers, the next step for him will be the Federal Court seeking a court order to compel changes. This will be a hearing de novo – meaning that the same territory will be covered before the Court, and Facebook will be free to introduce new evidence and argument to support its position. The court will owe no deference to the findings of the Privacy Commissioner. Further, while the Federal Trade Commission in the US contemplates fines to impose on Facebook in relation to its role in this scandal, Canada’s Commissioner does not have such a power, nor does the Federal Court. This is the data protection law we have – it is not the one that we need. Just as the Cambridge Analytica scandal drew attention to the dynamics and scale of personal data use and misuse, this investigation and its outcomes highlight the weaknesses of Canada’s current federal data protection regime.

As for the BC Commissioner – he does have order making powers under PIPA, and in theory he could order Facebook to change its practices in accordance with the findings in the Report. What the BC Commissioner lacks, however, with all due respect, is jurisdiction, as I will discuss below.

While the substantive issues raised in the complaint are important and interesting ones, this post will focus on slightly less well-travelled territory. (For comment on these other issues see, for example, this op-ed by Michael Geist). My focus is on the issue of jurisdiction. In this case, the two Commissioners make joint findings about the same facts, concluding that both statutes are breached. Although Facebook challenges their jurisdiction, the response, in the case of the BC Commissioner’s jurisdiction is brief and unsatisfactory. In my view, there is no advantage to Canadians in having two different data protection laws apply to the same facts, and there is no benefit in a lack of clarity as to the basis for a Commissioner’s jurisdiction.

This investigation was carried out jointly between the federal and the BC Privacy Commissioner. There is somewhat of a BC nexus, although this is not mentioned in the findings. One of the companies involved in processing data from Facebook is Aggregate IQ, a BC-based analytics company. There is an ongoing joint investigation between the BC and federal Privacy Commissioners into the actions of Aggregate IQ. However, this particular report of findings is in relation to the activities of Facebook, and not Aggregate IQ. While that other joint investigation will raise similar jurisdictional questions, this one deals with Facebook, a company over whose activities the federal Privacy Commissioner has asserted jurisdiction in the past.

There is precedent for a joint investigation of a privacy complaint. The federal privacy commissioners of Australia and Canada carried out a joint investigation into Ashley Madison. But I that case each Commissioner clearly had jurisdiction under their own legislation. This, I will argue, is not such a case. Within Canada, only one privacy Commissioner will have jurisdiction over a complaint arising from a particular set of facts. In this case, it is the federal Privacy Commissioner.

Unsurprisingly, Facebook raised jurisdictional issues. It challenged the jurisdiction of both commissioners. The challenge to the federal Commissioner’s jurisdiction was appropriately dismissed – there is a sufficient nexus between Facebook and Canada to support the investigation under PIPEDA. However, the challenge to the jurisdiction of the BC Commissioner was more serious. Nevertheless, it was summarily dismissed in the findings.

Uneasiness about the constitutional reach of PIPEDA in a federal state has meant that the law, which relies on the federal trade and commerce power for its constitutional legitimacy, applies only in the context of commercial activity. It applies across Canada, but it carves out space for those provinces that want to enact their own data protection laws to assert jurisdiction over the intra-provincial collection, use and disclosure of personal information. To oust PIPEDA in this sphere, these laws have to be considered “substantially similar” to PIPEDA (s. 26(2)(b)). Three provinces – BC, Alberta and Quebec, have substantially similar private sector data protection laws. Even within those provinces, PIPEDA will apply to the collection, use or disclosure by federally-regulated businesses (such as banks or airline companies). It will also apply to cross-border activities by private sector actors (whether international or inter-provincial). This split in jurisdiction over privacy can be complicated for individuals who may not know where to direct complaints, although the different commissioners’ offices will provide assistance. This does not mean there is no room for collaboration. The federal and provincial Commissioners have taken common positions on many issues in the past. These instances are conveniently listed on the website of Alberta’s privacy commissioner.

What has happened in this case is quite different. This is described as a joint investigation between the two Commissioners, and it has resulted in a joint set of recommendations and findings. Both PIPEDA and BC’s PIPA are cited as being applicable laws. In response to the challenge to the BC Privacy Commissioner’s jurisdiction, the Report tersely states that “PIPA (Personal Information Protection Act (British Columbia)) applies to Facebook’s activities occurring within the province of BC”. Yet no information is given as to what specific activities of Facebook were exclusively within the province of BC. No distinction is made at any point in the report between those activities subject to PIPA and those falling under PIPEDA. In this respect, it seems to me that Facebook is entirely correct in challenging the BC Privacy Commissioner’s jurisdiction. Facebook collects, uses and discloses personal information across borders, and its activities with respect to Canadians are almost certainly covered by PIPEDA. If that is the case, then they are not also subject to PIPA. The Exemption Order that finds PIPA BC to be substantially similar to PIPEDA provides:

1. An organization, other than a federal work, undertaking or business, to which the Personal Information Protection Act, S.B.C. 2003, c. 63, of the Province of British Columbia, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act, in respect of the collection, use and disclosure of personal information that occurs within the Province of British Columbia.

Section 3(2) of the Personal Information Protection Act provides:

(2) This Act does not apply to the following:

(c) the collection, use or disclosure of personal information, if the federal Act applies to the collection, use or disclosure of the personal information;

The “federal Act” is defined in s. 1 of PIPA to mean PIPEDA. The scheme is quite simple: if PIPEDA applies then PIPA does not. If the federal Commissioner has jurisdiction over the activities described in the Report, the provincial Commissioner does not. The only way in which the BC Commissioner would have jurisdiction is if there are purely local, provincial activities of Facebook that would not be covered by PIPEDA. Nothing in the Findings suggests that there are. At a minimum, if there are separate spheres of legislative application, these should be made explicit in the Findings.

Jurisdictional issues matter. We already have a complex mosaic of different data protection laws (federal, provincial, public sector, private sector, health sector) in Canada. Individuals must muddle through them to understand their rights and recourses; while organizations and entities must likewise understand which laws apply to which of their activities. Each statute has its own distinct sphere of operation. We do not need the duplication that would result from the adjudication of the same complaint under two (or more) different statutes; or the confusion that might result from different results flowing from different complaint resolutions. If there are separate sets of facts giving rise to separate breaches under different statutes, this has to be spelled out.

Federal-provincial cooperation on data protection is important; it is also valuable for the different privacy commissioners to reach consensus on certain principles or approaches. But creating overlapping jurisdiction over complaints flies in the face of the law and creates more problems than it solves. We have enough data protection challenges to deal with already.

Schedule 31 and Schedule 41 of Ontario’s new omnibus Budget Bill amend the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) respectively. One change to both statutes will expand the ability of public sector bodies to share personal information with law enforcement without consent. A more extensive set of amendments to FIPPA constitute another piece of the government’s digital and data strategy, which is further developed in the Simpler, Faster, Better Services Act, another piece of the budget bill discussed in my post here.

FIPPA and MFIPPA set the rules for the collection, use and disclosure of personal information by the public sector. MFIPPA applies specifically to municipalities, and FIPPA to the broader public sector. Both statutes prohibit the disclosure of personal information under the custody or control of a public body unless such a disclosure falls under an exception. Currently, both statutes have an exception related to investigations which reads:

(g) if disclosure is to an institution or a law enforcement agency in Canada to aid an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

The Budget Bill will amend this exception by replacing it with:

(g)  to an institution or a law enforcement agency in Canada if,

(i)  the disclosure is to aid in an investigation undertaken by the institution or the agency with a view to a law enforcement proceeding, or

(ii)  there is a reasonable basis to believe that an offence may have been committed and the disclosure is to enable the institution or the agency to determine whether to conduct such an investigation;

Paragraph (g)(i) is essentially the same as the original provision. What is new is paragraph (g)(ii). It broadens the circumstances in which personal information can be shared with law enforcement. Not only that, it does so in the squishiest of terms. There must be a reasonable basis to believe that an offence may have been committed. This is different from a reasonable basis to believe that an offence has been committed. Not only does it lower the threshold in the case of individuals, it may also open the door to the sharing of personal information for law enforcement fishing expeditions. After all, if enough people file for certain benefits, it might be reasonable to believe that an offence may have been committed (there’s always someone who tries to cheat the system, right?). The exception could enable the sharing of a quantity of personal information to permit the use of analytics to look for anomalies that might suggest the commission of on offence. The presence of this amendment in an omnibus budget bill that will receive very little scrutiny or debate contradicts the government’s own statement, in its announcement of its data strategy consultation, that “Data privacy and protection is paramount.” This is not a privacy-friendly amendment.

The other set of amendments to FIPPA contained in the budget bill are aimed at something labelled “data integration”. This is a process meant to allow government to derive greater value from its stores of data, by allowing it to generate useful data, including statistical data, to government and its departments and agencies. It allows for the intra-governmental sharing of data for preparing statistics for the purposes of resource management or allocation, as well as the planning and evaluation of the delivery of government funded programs and services, whether they are funded “in whole or in part, directly or indirectly” (s. 49.2(b)).

Because these amendments contemplate the use of personal information, there are measures specifically designed to protect privacy. For example, under s. 49.3, personal information is not to be used for data integration unless other data will not serve the purpose, and no more personal information shall be used than is reasonably necessary to meet the purpose. Public notice of the indirect (i.e. not directly from the individual) collection of personal information must be provided under s. 49.4. Any collection of personal information can only take place after data standards provided for in s. 49.14 have been approved by the Privacy Commissioner (s. 49.5). Once collected, steps must be taken to deidentify the personal information. The amendments include a definition of deidentification, which involves the removal of direct identifiers as well as any information “that could be used, either alone or with other information, to identify an individual based on what is reasonably foreseeable in the circumstances” (s. 49.1). Section 49.8 specifically prohibits anyone from using or attempting to use “information that has been identified under this Part, either alone or with other information, to identify an individual”.

Provision is made for the disclosure of personal information collected through the data integration scheme in limited circumstances – this includes the unfortunately worded exception discussed above where “there is a reasonable basis to believe that an offence may have been committed”. (s. 49.9(c)(ii)).

In terms of transparency, a new s. 49.10 provides for notice to be published on a website setting out information about any collection of personal information by a ministry engaged in data integration. The information provided must include the legal authority for the collection; the type of personal information that may be collected; and the information sources, the purpose of any collection, use or disclosure, as well as the nature of any linkages that will be made. Contact information must also be provided for someone who can answer any questions about the collection, use or disclosure of the personal information. Contact information must also be provided for the Privacy Commissioner. Data standards developed in relation to data integration must also be published (s. 49.14(2)), and any data integration unit that collections personal information must publish an annual report setting out prescribed information (s. 49.13).

Section 49.11 mandates the safe storage and disposal of any personal information, and sets retention limits. It also provides for data breach notification to be made to affected individuals as well as to the Commissioner. The Commissioner has the power, under s. 49.12 to review the practices and procedures of any data integration unit if the Commissioner “has reason to believe that the requirements of this Part are not being complied with”. The Commissioner has power to make orders regarding the discontinuance or the modification of practices or procedures, and can also order the destruction of personal information or require the adoption of a new practice or procedure.

The amendments regarding data integration are clearly designed to facilitate a better use of government data for the development and delivery of programs and services and for their evaluation. These are important measures and seem to have received some careful attention in the amendments. Once again, however, these seem to be important pieces of the data strategy for which the government has recently launched a consultation process that seems to be becoming more irrelevant by the day. Further, as part of an omnibus budget bill, these measures will not receive much in the way of discussion or debate. This is particularly unfortunate for two reasons. First, as the furore over Statistics Canada’s foray into using personal information to generate statistical data shows, transparency, public input and good process are important. Second, the expansion of bases on which personal information shared with government can be passed along to law enforcement merits public scrutiny, debate and discussion. Encroachments on privacy slipped by on the sly should be particularly suspect.

On April 4, 2019 I appeared before the Senate Standing Committee on Banking, Trade and Commerce (BANC) which has been holding hearings on Open Banking, following the launch of a public consultation on Open Banking by the federal government. Open banking is an interesting digital innovation initiative with both potential and risks. I wrote earlier about open banking and some of the privacy issues it raises here. I was invited by the BANC Committee to discuss ‘data ownership’ in relation to open banking. The text of my open remarks to the committee is below. My longer paper on Data Ownership is here.

_______________

Thank you for this invitation and opportunity to meet with you on the very interesting subject of Open Banking, and in particular on data ownership questions in relation to open banking.

I think it is important to think about open banking as the tip of a data iceberg. In other words, if Canada moves forward with open banking, this will become a test case for rendering standardized data portable in the hands of consumers with the goal of providing them with more opportunities and choices while at the same time stimulating innovation.

The question of data ownership is an interesting one, and it is one that has become of growing importance in an economy that is increasingly dependent upon vast quantities of data. However, the legal concept of ‘ownership’ is not a good fit with data. There is no data ownership right per se in Canadian law (or in law elsewhere in comparable jurisdictions, although in the EU the idea has recently been mooted). Instead, we have a patchwork of laws that protect certain interests in data. I will give you a very brief overview before circling back to data portability and open banking.

The law of confidential information exists to protect interests in information/data that is kept confidential. Individuals or corporations are often said to ‘own’ confidential information. But the value of this information lies in its confidentiality, and this is what the law protects. Once confidentiality is lost, so is exclusivity – the information is in the public domain.

The Supreme Court of Canada in 1988 also weighed in on the issue of data ownership – albeit in the criminal law context. They ruled in R. v. Stewart that information could not be stolen for the purposes of the crime of theft, largely because of its intangible nature. Someone could memorize a confidential list of names without removing the list from the possession of its ‘owner’. The owner would be deprived of nothing but the confidentiality of and control over the information.

It is a basic principle of copyright law that facts are in the public domain. There is good reason for this. Facts are seen as the building blocks of expression, and no one should have a monopoly over them. Copyright protects only the original expression of facts. Under copyright law, it is possible to have protection for a compilation of facts – the original expression will lie in the way in which the facts are selected or arranged. It is only that selection or arrangement that is protected – not the underlying facts. This means that those who create compilations of fact may face some uncertainty as to their existence and scope of any copyright. The Federal Court of Appeal, for example, recently ruled that there was no copyright in the Ontario Real Estate Board’s real estate listing data.

Of course, the growing value of data is driving some interesting arguments – and decisions – in copyright law. A recent Canadian case raises the possibility that facts are not the same as data under copyright law. This issue has also arisen in the US. Some data are arguably ‘authored’, in the sense that they would not exist without efforts to create them. Predictive data generated by algorithms are an example, or data that require skill, judgment and interpretation to generate. Not that many years ago, Canada Post advanced the argument that they had copyright in a postal code. In the US, a handful of cases have recognized certain data as being ‘authored’, but even in those cases, copyright protection has been denied on other grounds. According ownership rights over data – and copyright law provides a very extended period of protection – would create significant issues for expression, creation and innovation.

The other context in which the concept of data ownership arises is in relation to personal information. Increasingly we hear broad statements about how individuals ‘own’ their personal information. These are not statements grounded in law. There is no legal basis for individuals to be owners of their personal information. Individuals do have interests in their personal information. These interests are defined and protected by privacy and data protection laws (as well as by other laws relating to confidentiality, fiduciary duties, and so on). The GDPR in Europe was a significant expansion/enhancement of these interests, and reform of PIPEDA in Canada – if it ever happens – could similarly enhance the interests that individuals have in their personal data.

Before I speak more directly of these interests – and in particular of data portability – I want to just mention why it is that it is difficult to conceive of interests in personal data in terms of ownership.

What personal data could you be said to own, and what would it mean? Some personal data is observable in public contexts. Do you own your name and address? Can you prevent someone from observing you at work every day and deciding you are regularly late and have no dress sense? Is that conclusion your personal information or their opinion? Or both? If your parents’ DNA might reveal your own susceptibility to particular diseases, is their DNA your personal information? If an online bookstore profiles you as someone who likes to read Young Adult Literature – particularly vampire themed – is that your personal information or is it the bookstore’s? Or is it both? Data is complex and there may be multiple interests implicated in the creation, retention and use of various types of data – whether it is personal or otherwise. Ownership – a right to exclusive possession – is a poor fit in this context. And the determination of ownership on the basis of the ‘personal’ nature of the data will overlook the fact that there may be multiple interests entangled in any single datum.

What data protection laws do is define the nature and scope of a person’s interest in their personal information in particular contexts. In Canada, we have data protection laws that apply with respect to the public sector, the private sector, and the health sector. In all cases, individuals have an interest in their personal information which is accompanied by a number of rights. One of these is consent – individuals generally have a right to consent to the collection, use or disclosure of their personal information. But consent for collection is not required in the public sector context. And PIPEDA has an ever-growing list of exceptions to the requirements for consent to collection, use or disclosure. This shows how the interest is a qualified one. Fair information principles reflected in our data protection laws place a limit on the retention of personal information – when an organization that has collected personal information that is now no longer required for the purpose for which it is collected, their obligation is to securely dispose of it – not to return it to the individual. The individual has an interest in their personal information, but they do not own it. And, as data protection laws make clear, the organizations that collect, use and disclose personal information also have an interest in it – and they may also assert some form of ownership rights over their stores of personal information.

As I mentioned earlier, the GDPR has raised the bar for data protection world-wide. One of the features of the GDPR is that it greatly enhances the nature and quality of the data subject’s interest in their personal information. The right to erasure, for example, limited though it might be, gives individuals control over personal information that they may have, at one time, shared publicly. The right of data portability – a right that is reflected to some degree in the concept of open banking – is another enhancement of the control exercised by individuals over their personal information.

What portability means in the open banking context is that individuals will have the right to provide access to their personal financial data to a third party of their choice (presumably from an approved list). While technically they can do that now, it is complicated and not without risk. In open banking, the standard data formats will make portability simple, and will enhance the ability to bring the data together for analysis and to provide new tools and services. Although individuals will still not own their data, they will have a further degree of control over it. Thus, open banking will enhance the interest that individuals have in their personal financial information. This is not to say that it is not without risks or challenges.

On February 5, 2019 the Ontario Government launched a Data Strategy Consultation. This comes after a year of public debate and discussion about data governance issues raised by the proposed Quayside smart cities development in Toronto. It also comes at a time when the data-thirsty artificial intelligence industry in Canada is booming – and hoping very much to be able to continue to compete at the international level. Add to the mix the view that greater data sharing between government departments and agencies could make government ‘smarter’, more efficient, and more user-friendly. The context might be summed up in these terms: the public is increasingly concerned about the massive and widespread collection of data by governments and the private sector; at the same time, both governments and the private sector want easier access to more and better data.

Consultation is a good thing – particularly with as much at stake as there is here. This consultation began with a press release that links to a short text about the data strategy, and then a link to a survey which allows the public to provide feedback in the form of answers to specific questions. The survey is open until March 7, 2019. It seems that the government will then create a “Minister’s Task Force on Data” and that this body will be charged with developing a draft data strategy that will be opened for further consultation. The overall timeline seems remarkably short, with the process targeted to wrap up by Fall 2019.

The press release telegraphs the government’s views on what the outcome of this process must address. It notes that 55% of Canada’s Big data vendors are located in Ontario, and that government plans “to make life easier for Ontarians by delivering simpler, faster and better digital services.” The goal is clearly to develop a data strategy that harnesses the power of data for use in both the private and public sectors.

If the Quayside project has taught anyone anything, it is that people do care about their data in the hands of both public and private sector actors. The press release acknowledges this by referencing the need for “ensuring that data privacy and protection is paramount, and that data will be kept safe and secure.” Yet perhaps the Ontario government has not been listening to all of the discussions around Quayside. While the press release and the introduction to the survey talk about privacy and security, neither document addresses the broader concerns that have been raised in the context of Quayside, nor those that are raised in relation to artificial intelligence more generally. There are concerns about bias and discrimination, transparency in algorithmic decision-making, profiling, targeting, and behavioural modification. Seamless sharing of data within government also raises concerns about mass surveillance. There is also a need to consider innovative solutions to data governance and the role the government might play in fostering or supporting these.

There is no doubt that the issues underlying this consultation are important ones. It is clear that the government intends to take steps to facilitate intra-governmental sharing of data as well as greater sharing of data between government and the private sector. It is also clear that much of that data will ultimately be about Ontarians. How this will happen, and what rights and values must be protected, are fundamental questions.

As is the case at the provincial and federal level across the country, the laws which govern data in Ontario were written for a different era. Not only are access to information and protection of privacy laws out of date, data-driven practices increasingly impact areas such as consumer protection, competition, credit reporting, and human rights. An effective data strategy might need to reach out across these different areas of law and policy.

Privacy and security – the issues singled out in the government’s documents – are important, but privacy must mean more than the narrow view of protecting identifiable individuals from identity theft. We need robust safeguards against undue surveillance, assurances that our data will not be used to profile or target us or our communities in ways that create or reinforce exclusion or disadvantage; we need to know how privacy and autonomy will be weighed in the balance against the stimulation of the economy and the encouragement of innovation. We also need to consider whether there are uses to which our data should simply not be put. Should some data be required to be stored in Canada, and if so in what circumstances? These and a host of other questions need to be part of the data strategy consultation. Perhaps a broader question might be why we are talking only about a data strategy and not a digital strategy. The approach of the government seems to focus on the narrow question of data as both an input and output – but not on the host of other questions around the digital technologies fueled by data. Such questions might include how governments should go about procuring digital technologies, the place of open source in government, the role and implication of technology standards – to name just a few.

With all of these important issues at stake, it is hard not to be disappointed by the form and substance of at least this initial phase of the government's consultation. It is difficult to say what value will be derived from the survey which is the vehicle for initial input. Some of the questions are frankly vapid. Consider question 2:

2. I’m interested in exploring the role of data in:

creating economic benefits

increasing public trust and confidence

better, smarter government

other

There is no box in which to write in what the “other” might be. And questions 9 to 11 provide sterling examples of leading questions:

9. Currently, the provincial government is unable to share information among ministries requiring individuals and businesses to submit the same information each time they interact with different parts of government. Do you agree that the government should be able to securely share data among ministries?

Yes

No

I’m not sure

10. Do you believe that allowing government to securely share data among ministries will streamline and improve interactions between citizens and government?

Yes

No

I’m not sure

11. If government made more of its own data available to businesses, this data could help those firms launch new services, products, and jobs for the people of Ontario. For example, government transport data could be used by startups and larger companies to help people find quicker routes home from work. Would you be in favour of the government responsibly sharing more of its own data with businesses, to help them create new jobs, products and services for Ontarians?

Yes

No

I’m not sure

In fairness, there are a few places in the survey where respondents can enter their own answers, including questions about what issues should be put to the task force and what skills and experience members should have. Those interested in data strategy should be sure to provide their input – both now and in the later phases to come.

Note: This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.

In early January 2019, Bell Canada caught the media spotlight over its “tailored marketing program”. The program will collect massive amounts of personal information, including “Internet browsing, streaming, TV viewing, location information, wireless and household calling patterns, app usage and the account information”. Bell’s background materials explain that “advertising is a reality” and that customers who opt into the program will see ads that are more relevant to their needs or interests. Bell promises that the information will not be shared with third party advertisers; instead it will enable Bell to offer those advertisers the ability to target ads to finely tuned categories of consumers. Once consumers opt in, their consent is presumed for any new services that they add to their account.

This is not the first time Bell has sought to collect vast amounts of data for targeted advertising purposes. In 2015, it terminated its short-lived and controversial “Relevant Ads” program after an investigation initiated by the Privacy Commissioner of Canada found that the “opt out” consent model chosen by Bell was inappropriate given the nature, volume and sensitivity of the information collected. Nevertheless, the Commissioner’s findings acknowledged that “Bell’s objective of maximizing advertising revenue while improving the online experience of customers was a legitimate business objective.”

Bell’s new tailored marketing program is based on “opt in” consent, meaning that consumers must choose to participate and are not automatically enrolled. This change and the OPC’s apparent acceptance of the legitimacy of targeted advertising programs in 2015 suggest that Bell may have brought its scheme within the parameters of PIPEDA. Yet media coverage of the new tailored ads program generated public pushback, suggesting that the privacy ground has shifted since 2015.

The rise of big data analytics and the stunning recent growth of artificial intelligence have sharply changed the commercial value of data, its potential uses, and the risks it may pose to individuals and communities. After the Cambridge Analytica scandal, there is also much greater awareness of the harms that can flow from consumer profiling and targeting. While conventional privacy risks of massive personal data collection remain (including the risk of data breaches, and enhanced surveillance), there are new risks that impact not just privacy but consumer choice, autonomy, and equality. Data misuse may also have broader impacts than just on individuals; such impacts may include group-based discrimination, and the kind of societal manipulation and disruption evidenced by the Cambridge Analytica scandal. It is not surprising, then, that both the goals and potential harms of targeted advertising may need rethinking; along with the nature and scope of data on which they rely.

The growth of digital and online services has also led to individuals effectively losing control over their personal information. There are too many privacy policies, they are too long and often obscure, products and services are needed on the fly and with little time to reflect, and most policies are ‘take-it-or-leave-it”. A growing number of voices are suggesting that consumers should have more control over their personal information, including the ability to benefit from its growing commercial value. They argue that companies that offer paid services (such as Bell) should offer rebates in exchange for the collection or use of personal data that goes beyond what is needed for basic service provision. No doubt, such advocates would be dismayed by Bell’s quid pro quo for its collection of massive amounts of detailed and often sensitive personal information: “more relevant ads”. Yet money-for-data schemes raise troubling issues, including the possibility that they could make privacy something that only the well-heeled can afford.

Another approach has been to call for reform of the sadly outdated Personal Information Protection and Electronic Documents Act. Proposals include giving the Privacy Commissioner enhanced enforcement powers, and creating ‘no go zones’ for certain types of information collection or uses. There is also interest in creating new rights such as the right to erasure, data portability, and rights to explanations of automated processing. PIPEDA reform, however, remains a mirage shimmering on the legislative horizon.

Meanwhile, the Privacy Commissioner has been working hard to squeeze the most out of PIPEDA. Among other measures, he has released new Guidelines for Obtaining Meaningful Consent, which took effect on January 1, 2019. These guidelines include a list of “must dos” and “should dos” to guide companies in obtaining adequate consent

While Bell checks off many of the ‘must do’ boxes with its new program, the Guidelines indicate that “risks of harm and other consequences” of data collection must be made clear to consumers. These risks – which are not detailed in the FAQs related to the program – obviously include the risk of data breach. The collected data may also be of interest to law enforcement, and presumably it would be handed over to police with a warrant. A more complex risk relates to the fact that internet, phone and viewing services are often shared within a household (families or roommates) and targeted ads based on viewing/surfing/location could result in the disclosure of sensitive personal information to other members of the household.

Massive data collection, profiling and targeting clearly raise issues that go well beyond simple debates over opt-in or opt-out consent. The privacy landscape is changing – both in terms of risks and responses. Those engaged in data collection would be well advised to be attentive to these changes.

In Netlink Computer Inc. (Re), the British Columbia Supreme Court dismissed an application for leave to sue a trustee in bankruptcy for the an alleged improper disposal of assets of a bankrupt company that contained the personal information of the company’s customers.

The issues at the heart of the application first reached public attention in September 2018 when a security expert described in a blog post how he noticed that servers from the defunct company were listed for sale on Craigslist. Posing as an interested buyer, he examined the computers and found that their unwiped hard drives contained what he reported as significant amounts of sensitive customer data, including credit card information and photographs of customer identification documents. Following the blog post, the RCMP and the BC Privacy Commissioner both launched investigations. Kipling Warner, who had been a customer of the defunct company Netlink, filed law suits against Netlink, the trustee in bankruptcy which had disposed of Netlink’s assets, the auction company Able Solutions, which and sold the assets, and Netlink’s landlord. All of the law suits include claims of breach statutory obligations under the Personal Information Protection and Electronic Documents Act, breach of B.C.’s Privacy Act, and breach of B.C.’s Personal Information Protection Act. The plan was to have the law suits certified as class action proceedings. The action against Netlink was stayed due to the bankruptcy. The B.C. Supreme Court decision deals only with the action against the trustee, as leave of the court must be obtained in order to sue a trustee in bankruptcy.

As Master Harper explained in his reasons for decision, the threshold for granting leave to sue a trustee in bankruptcy is not high. The evidence presented in the claim must advance a prima facie case. Leave to proceed will be denied if the proposed action is considered frivolous or vexations, since such a lawsuit would “interfere with the due administration of the bankrupt’s estate by the trustee” (at para 9). Essentially the court must balance the competing interests of the party suing the trustee and the interest in the efficient and timely wrapping up of the bankrupt’s estate.

The decision to dismiss the application in this case was based on a number of factors. Master Harper was not impressed by the fact that the multiple law suits brought against different actors all alleged the same grounds. He described this as a “scattergun approach” that suggested a weak evidentiary foundation. The application was supported by two affidavits, one from Mr. Warner, which he described as being based on inadmissible ‘double hearsay’ and one from the blogger, Mr. Doering. While Master Harper found that the Doering affidavit contained first hand evidence from Doering’s investigation into the servers sold on Craigslist, he noted that Doering himself had not been convinced by the seller’s statements about how he came to be in possession of the servers. The Master noted that this did not provide a basis for finding that it was the trustee in bankruptcy who was responsible. The Master also noted that although an RCMP investigation had been launched at the time of the blog post, it had since concluded with no charges being laid. The Master’s conclusion was that there was no evidence to support a finding that any possible privacy breach “took place under the Trustee’s ‘supervision and control’.” (at para 58)

Although the application was dismissed, the case does highlight some important concerns about the handling of personal information in bankruptcy proceedings. Not only can customer databases be sold as assets in bankruptcy proceedings, Mr Doering’s blog post raised the spectre of computer servers and computer hard drives being disposed of without properly being wiped of the personal data that they contain. Although he dismissed the application to file suit against the Trustee, Master Harper did express some concern about the Trustee’s lack of engagement with some of the issues raised by Mr. Warner. He noted that no evidence was provided by the Trustee “as to how, or if, the Trustee seeks to protect the privacy of customers when a bankrupt’s assets (including customer information) are sold in the bankruptcy process.” (at para 44) This is an important issue, but it is one on which there is relatively little information or discussion. A 2009 blog post from Quebec flags some of the concerns raised about privacy in bankruptcy proceedings; a more recent post suggests that while larger firms are more sophisticated in how they deal with personal information assets, the data in the hands of small and medium sized firms that experience bankruptcy may be more vulnerable.

Digital and data governance is challenging at the best of times. It has been particularly challenging in the context of Sidewalk Labs’ proposed Quayside development for a number of reasons. One of these is (at least from my point of view) an ongoing lack of clarity about who will ‘own’ or have custody or control over all of the data collected in the so-called smart city. The answer to this question is a fundamentally important piece of the data governance puzzle.

In Canada, personal data protection is a bit of a legislative patchwork. In Ontario, the collection, use or disclosure of personal information by the private sector, and in the course of commercial activity, is governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA). However, the collection, use and disclosure of personal data by municipalities and their agencies is governed by the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), while the collection, use and disclosure of personal data by the province is subject to the Freedom of Information and Protection of Privacy Act (FIPPA). The latter two statutes – MFIPPA and FIPPA – contain other data governance requirements for public sector data. These relate to transparency, and include rules around access to information. The City of Toronto also has information management policies and protocols, including its Open Data Policy.

The documentation prepared for the December 13, 2018 Digital Strategy Advisory Panel (DSAP) meeting includes a slide that sets out implementation requirements for the Quayside development plan in relation to data and digital governance. A key requirement is: “Compliance with or exceedance of all applicable laws, regulations, policy documents and contractual obligations” (page 95). This is fine in principle, but it is not enough on its own to say that the Quayside project must “comply with all applicable laws”. At some point, it is necessary to identify what those applicable laws are. This has yet to be done. And the answer to the question of which laws apply in the context of privacy, transparency and data governance, depends upon who ultimately is considered to ‘own’ or have ‘custody or control’ of the data.

So – whose data is it? It is troubling that this remains unclear even at this stage in the discussions. The fact that Sidewalk Labs has been asked to propose a data governance scheme suggests that Sidewalk and Waterfront may be operating under the assumption that the data collected in the smart city development will be private sector data. There are indications buried in presentations and documentation that also suggest that Sidewalk Labs considers that it will ‘own’ the data. There is a great deal of talk in meetings and in documents about PIPEDA, which also indicates that there is an assumption between the parties that the data is private sector data. But what is the basis for this assumption? Governments can contract with a private sector company for data collection, data processing or data stewardship – but the private sector company can still be considered to act as an agent of the government, with the data being legally under the custody or control of the government and subject to public sector privacy and freedom of information laws. The presence of a private sector actor does not necessarily make the data private sector data.

If the data is private sector data, then PIPEDA will apply, and there will be no applicable access to information regime. PIPEDA also has different rules regarding consent to collection than are found in MFIPPA. If the data is considered ultimately to be municipal data, then it will be subject to MFIPPA’s rules regarding access and privacy, and it will be governed by the City of Toronto’s information management policies. These are very different regimes, and so the question of which one applies is quite fundamental. It is time for there to be a clear and forthright answer to this question.

A recent Federal Court decision highlights the risks to privacy that could flow from unrestrained access by government to data in the hands of private sector companies. It also demonstrates the importance of judicial oversight in ensuring transparency and the protection of privacy.

The Income Tax Act (ITA) gives the Minister of National Revenue (MNR) the power to seek information held by third parties where it is relevant to the administration of the income tax regime. However, where the information sought is about unnamed persons, the law requires judicial oversight. A judge of the Federal Court must review and approve the information “requirement”. Just such a matter arose in Canada (Minister of National Revenue) v. Hydro-Québec. The MNR sought information from Hydro-Québec, the province’s electrical utility, about a large number of its business customers. Only a few classes of customers, such as heavy industries that consumed very large amounts of electricity were excluded. Hydro itself did not object to the request and was prepared to fulfil it if ordered to do so by the Federal Court. The request was considered by Justice Roy who noted that because the information was about unnamed and therefore unrepresented persons, it was “up to the Court to consider their interests.” (at para 5)

Under s. 231.2(3) of the ITA, before ordering the disclosure of information about unnamed persons, a must be satisfied that:

(a) the person or group is ascertainable; and

(b) the requirement is made to verify compliance by the person or persons with any duty or obligation under this Act.

The information sought from Hydro in digital format included customer names, business numbers, full billing addresses, addresses of each place where electricity is consumed, telephone numbers associated with the account, billing start dates, and, if applicable, end dates, and any late payment notices sent to the customer.

Justice Roy noted that no information had been provided to the court to indicate whether the MNR had any suspicions about the tax compliance of business customers of Hydro-Quebec. Nor was there much detail about what the MNR planned to do with the information. The documents provided by the MNR, as summarized by the Court, stated that the MNR was “looking to identify those who seem to be carrying on a business but failed to file all the required income tax returns.” (at para 14) However, Justice Roy noted that there were clearly also plans to share the information with other groups at the Canada Revenue Agency (CRA). These groups would use the information to determine “whether the individuals and companies complied with their obligations under the ITA and the ETA”. (at para 14)

Justice Roy was sympathetic to the need of government to have powerful means of enforcing tax laws that depend upon self-reporting of income. However, he found that what the MNR was attempting to do under s. 231.2 went too far. He ruled that the words used in that provision had to be interpreted in light of “the right of everyone to be left alone by the state”. (at para 28) He observed that it is clear from the wording of the Act that “Parliament wanted to limit the scope of the Minister’s powers, extensive as they are.” (at para 68)

Justice Roy carefully reviewed past jurisprudence interpreting s. 231.2(3). He noted that the section has always received a strict interpretation by judges. In past cases where orders had been issued, the groups of unnamed persons about whom information was sought were clearly ascertainable, and the information sought was ‘directly related to these taxpayers’ tax status because it is financial in nature.” (at para 63) In the present case, he found that the group was not ascertainable, and the information sought “has nothing to do with tax-status.” (at para 63)

In his view, the aim of the request was to determine the identity of business customers of Hydro-Québec. The information was not sought in relation to a good faith audit, and with a proper factual basis. Because it was a fishing expedition meant to determine who might suitably be audited, the group of individuals identified by Hydro-Québec could not be considered “ascertainable”, as was required by the law. Justice Roy noted that no information was provided to demonstrate what “business customer” meant. He observed that “the Minister would render the concept of “ascertainable group” meaningless if, in the context of the ITA, she may claim that any group is an ascertainable group.” (at para 78) He opined that giving such broad meaning to “ascertainable” could be an abuse that would lead to violations of privacy by the state.

Justice Roy also found that the second condition of s. 231.2(3) was not met. Section 231.2(3)(b) required that the information be sought in order “to verify compliance by the person or persons in the group with any duty or obligation under this Act.” He observed that the MNR was seeking an interpretation of this provision that would amount to: “Any information the Minister may consider directly or indirectly useful”. (at para 80) Justice Roy favoured a much more restrictive interpretation, limiting it to information that could “shed light on compliance with the Act.” (at para 80) He found that “the knowledge of who has a business account with Hydro-Québec does not meet the requirement of a more direct connection between the information and documents and compliance with the Act.” (at para 80)

The MNR had argued that if the two conditions of s. 231.2(3) were met, then a judge was required to issue the authorization. Because Justice Roy found the two conditions were not met, the argument was moot. Nevertheless, he noted that even if he had found the conditions to be met, he would still have had the discretion to deny the authorization if to grant it would harm the public interest. In this case, there would be a considerable invasion of privacy “given the number of people indiscriminately included in the requirement for which authorization of the Court is being sought. (at para 88) He also found that the fact that digital data was sought increased the general risk of harm. He observed that “the applicant chose not to restrict the use she could make of the large quantity of information she received” (at para 91) and that it was clearly planned that the information would be shared within the CRA. Justice Roy concluded that even if he erred in his interpretation of the criteria in s. 231.2(3), and these criteria had to be given a broad meaning, he would still not have granted the authorization on the basis that “judicial intervention is required to prevent such an invasion of the privacy of many people in Quebec.” (at para 96) Such intervention would particularly be required where “the fishing expedition is of unprecedented magnitude and the information being sought is far from serving to verify compliance with the Act.” (at para 96)

This is a strong decision which clearly protects the public interest. It serves to highlight the privacy risks in an era where both private and public sectors amass vast quantities of personal information in digital form. Although the ITA provides a framework to ensure judicial oversight in order to limit potential abuses, there are still far too many other contexts where information flows freely and where there may be insufficient oversight, transparency or accountability.