snIP/ITs Insights on Canadian Technology and Intellectual Property Law

Category Archives: Privacy

Subscribe to Privacy RSS Feed

Online Trust Alliance releases draft “Trust Framework” for the Internet of Things

Posted in Privacy, Regulatory Compliance

By some estimates, there were more than 2 wireless networked devices for every person on the planet in 2014. The multiplier is expected to reach 5 by the year 2020.

This explosive proliferation of networked technology offers remarkable opportunities, but also inspires concern that the connected future may result in ubiquitous, inescapable, surveillance of every aspect of our lives. Legislators and regulators around the world are grappling with the implications of this technology for the ability to protect personal privacy interests and the practical problems of applying legal regimes originally developed in a very different era.

Against this backdrop, … Continue Reading

W3C Releases Draft Do-Not-Track Compliance Standards

Posted in Privacy

In today’s Internet, advertising is ubiquitous. It is the main source of revenue for many web sites and services. It is also the subject of increasing scrutiny by privacy advocates and regulators, as advertisers and ad networks develop ever-more sophisticated means to track and profile users in the quest to optimize their effectiveness.

In Canada, online behavioural advertising (sometimes referred to as interest-based advertising) has been the subject of significant attention from the Office of the Privacy Commissioner. The Office recently released a research report on the subject, concluding that many organizations and web sites are not fully-compliant with the … Continue Reading

BC Privacy Act Does Not Oust Facebook’s Forum Selection Clause: BC Court of Appeal

Posted in Privacy, Social Media

How do operators of global services deal with the panoply of legal systems around the world? One common strategy relies on choice of law and forum selection clauses in Terms of Use agreements. These clauses purport to determine in advance what law will apply to disputes and where they will be heard. Canadian courts tend to enforce such agreements, on the basis that the parties are generally best-placed to decide for themselves how to govern their affairs. Such agreements promote certainty, which courts (and parties) usually finds comforting.

However, local laws sometimes modify or invalidate these kinds of agreements. For … Continue Reading

Hospital Privacy Breach Results in OSC Laying Charges

Posted in Privacy

The Ontario Securities Commission (“OSC”) has announced a series of criminal and quasi-criminal charges following an investigation related to the misuse of confidential patient information from the Rouge Valley Health System and the Scarborough Hospital. The OSC charges stem from allegations that a RESP sales representative purchased stolen maternity patient labels from a hospital nurse over a two-and-a-half-year period. The health information of approximately 14,000 new mothers was allegedly compromised.

This comes 6 months after a separate review by the Information and Privacy Commissioner of Ontario (“IPC”) which determined that Rouge Valley Health System failed to put in place “reasonable … Continue Reading

Manitoba Court Interprets the Common Law Tort of Intrusion Upon Seclusion

Posted in Privacy

Grant v. Winnipeg Regional Health Authority et al., 2015 MBCA 44 (“Grant”), is a successful appeal of the decision of the motion judge, which upheld the decision of the Master striking parts of an amended statement of claim as disclosing no reasonable cause of action. In doing so, the Manitoba Court of Appeal (the “Court”) held that the tort of intrusion upon seclusion, as set out in Jones v Tsige, may allow family members, who claim to have suffered as a result of a breach of a privacy interest of another member, to advance … Continue Reading

FIPA Report Calls For Unnecessary Regulation of Auto Sector Privacy: Are Other Sectors of the Economy Next?

Posted in Privacy

On March 24, the BC Freedom of Information and Privacy Association (FIPA) released a report titled, The Connected Car: Who Is In the Driver’s Seat (the “Report”). The 123-page Report describes the increasing use of digital features and services in today’s automobiles and, among other things, recommends that the federal government enact data protection regulations aimed specifically at the auto sector. The Report is authored principally by Phillippa Lawson, formerly the Executive Director of the Canadian Internet Policy and Public Interest Clinic.

There is more and more software being used in vehicles, and there are a growing number … Continue Reading

McCarthy Tétrault launches CyberLex blog

Posted in Consumer Protection, Data Breach, Privacy

McCarthy Tétrault has just launched its twelfth blog, CyberLex, at http://www.canadiancybersecuritylaw.com. This blog discusses trends and developments in cybersecurity, privacy and data protection law in Canada and internationally; offers practical suggestions and insights on how these issues affect companies in a wide variety of industries; and provides guidance on how to address various challenges and opportunities created by technology and legislative developments.

Please visit the blog!… Continue Reading

Safari workaround claimants to get their day in UK court against Google: Google Inc v Vidal-Hall

Posted in Privacy

The ‘Safari workaround’ has cost Google millions. In 2012, it paid a civil penalty of US$22.5 million to settle charges brought by the US FTC that Google misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In 2013 it paid US$17 million to settle US state consumer-based actions brought by State AGs.

Google was also sued over the Safari workaround in the UK by individuals claiming that Google was liable for the tort of misuse of private information and for breach of the UK Data Protection Act 1998 … Continue Reading

Canadian Courts Refuse to Settle for Weak Privacy Rights: “Imperial Oil Limited v Alberta”

Posted in Privacy

Overview

Last week, the Supreme Court of Canada (“SCC”) dismissed leave to appeal the Alberta Court of Appeal (“ABCA”) decision in Imperial Oil Limited v Alberta., thereby endorsing the ABCA’s approach to settlement privilege in the context of applications under the Freedom of Information and Protection of Privacy Act (“FOIPP”).[1] Settlement privilege is alive, well, and strongly protected in Alberta, even in the more public regulatory context, as long as parties fall within the exceptions set out in ss. 16 and 27 of FOIPP.Continue Reading

Bill C-13: Lawful Access and the Relationship Between Organizations, Cyber-bullying and the Protection of Privacy Rights

Posted in E-Commerce, Privacy, Social Media

On December 9, 2014, Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Act) – also known as the Protecting Canadians from Online Crime Act –, received the royal assent. The Act will come into force on March 9, 2015.

The Act deals with the serious issues of online bullying, harassment and non-consensual circulation of intimate images and aims the protection of Canadians from cyber-bullying and other forms of Internet exploitation.

Significant amendment to the Criminal Code

The Act notably brought two … Continue Reading

PHIPA Does Not Preclude the Recourse to Common Law for Health Privacy Violations

Posted in Privacy, Technology License Agreement

Facts

‘‘With the click of a mouse, personal health records can be accessed by those who have a legitimate interest in properly treating a patient – or they can be accessed for an improper purpose.’’

These were the opening words of the Ontario Superior Court in the case of Hopkins v. Kay[1] where Representative Plaintiffs sought to bring a class action suit against a hospital and other defendants, alleging that approximately 280 patient records of the Peterborough Regional Health Centre (the ‘‘Hospital’’) were intentionally and wrongfully accessed by the Hospital’s staff and others.

The Plaintiffs based their claim on … Continue Reading

Mere Compliance With Privacy Requirements By Corporations may no Longer be Enough

Posted in Privacy, Technology License Agreement

Introduction

The Office of the Privacy Commissioner of Canada (‘‘OPC’’) recently published a research paper entitled ‘‘Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities’’ in which are outlined the common interests and tensions between privacy and cyber security. The report sets out key policy indications with a view to generating dialogue on cyber security as an important element of online protection, while acknowledging that cyberspace governance is a global issue.

Context

The OPC bases its report on the following factual premises. As technologies facilitating access to the Internet have become increasingly entrenched in everyday life, … Continue Reading

New Year, New Mandatory Breach Reporting

Posted in Data Breach, Privacy

Overview

It is rumoured that Bill 12 that amended the Alberta Health Information Act (“HIA”), passed on May 14, 2014, will come into force this year.  Bill 12 made 3 significant changes to the HIA:

  1. adds mandatory breach notification provisions;
  2. authorizes the Office of the Information and Privacy Commissioner (“OIPC”) to disclose information about a breach in certain situations; and
  3. creates new offences and penalties.

We will discuss these 3 amendments in turn.

Continue Reading

Alberta PIPA Amendments: Much Ado About Nothing?

Posted in Privacy

Just in time for the new year, the Alberta’s Personal Information Protection Act (“PIPA”) was amended by Bill 3 which came into force on December 17, 2014.  These amendments were in response to the Supreme Court of Canada decision to struck down PIPA in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”) on the basis that it infringed on the union’s freedom of expression.

Continue Reading

The “Right to be Forgotten” Guideline from the Article 29 Working Party

Posted in Privacy

In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.

The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had … Continue Reading

SCC Holds Disclosure of Private Communications Engages Constitutional Rights

Posted in Privacy

In its Nov. 14, 2014 decision in Wakeling v. United States of America, 2014 SCC 72, the Supreme Court of Canada (SCC) held that s. 8 of the Canadian Charter of Rights and Freedoms (the Charter) (the right to be free from unreasonable search and seizure) applies to the disclosure of communications obtained through a wiretap to police authorities in a foreign jurisdiction.… Continue Reading

The most hackable month of the year: steps companies can take to protect themselves from data breaches

Posted in Data Breach, E-Commerce, Privacy

In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data.

How big is the risk?

The malevolently-inclined are getting more ambitious (a 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector suggests that average size of a breach is about 30,000 records) and more damaging (average loss is now about $105 per stolen record). The same study estimated that the average cost of a cybercrime for the retailer is about $3.15-million. … Continue Reading

Mobile App Privacy Practices: The Office of the Privacy Commissioner of Canada Issues Tips For Communicating Privacy Practices to App Users

Posted in Privacy

Communicating privacy practices to users of mobile apps can be challenging, especially given small screen sizes and the difficulty of capturing app user attention.  The Office of the Privacy Commissioner of Canada (OPC) has acknowledged these challenges and, in September 2014, published Ten Tips for Communicating Privacy Practices to Your App’s Users.

These tips were provided in connection with the findings of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which the OPC participated in along with twenty-five other privacy enforcement authorities from around the world.

The GPEN Privacy Sweep assessed 1,211 apps with a focus on … Continue Reading

Lapse of Alberta PIPA Thwarted

Posted in Privacy

In my blog dated October 17, 2014, titled, “Impending Lapse of PIPA Creates Uncertainty”, I explored the consequences of PIPA being struck had the Alberta government failed to amend PIPA to comply with the Canadian Charter of Rights and Freedom (the “Charter”) and meet the November 15, 2014 deadline.

Since my October 17, 2014 blog, I have had the opportunity to meet Jill Clayton, the Alberta Information and Privacy Commissioner. In my discussion with Jill Clayton, she advised me that, on October 31, 2014, the Alberta government was granted a 6 month extension to amend PIPA and ensure compliance. … Continue Reading

Impending Lapse of PIPA Creates Uncertainty

Posted in Privacy

On November 15, 2013, the Supreme Court of Canada struck down the Alberta Personal Information Protection Act (“PIPA”) in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”), and despite a one-year stay to allow for necessary amendments, delay on the part of the Alberta government has caused PIPA’s lapse to become an inevitability.

The SCC found that sections of PIPA violated the right to freedom of expression enshrined in s. 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”). Further, the SCC found … Continue Reading

“Objectively Reasonable” and Privacy: Recent Developments

Posted in Privacy

The ubiquitous and rapidly-evolving nature of technology has recently necessitated serious consideration of our “reasonable expectation of privacy.”  This concept is at the core of Canadian privacy law. In particular, the concept is a key part of the Charter test for s. 8, the right to be secure against unreasonable search and seizure. The Supreme Court of Canada (“SCC”) grappled with these questions in R v Cole[1] and R v Vu[2], and more recently, the British Columbia and Ontario Courts of Appeal applied these Charter principles to couriered packages and USB keys in R Continue Reading

Intrusion Upon Seclusion Part 2: Implications for Businesses Across Canada

Posted in Privacy

Recently, my colleagues Sean Griffin and Ann-Elisabeth Simard considered the Evans v Bank of Nova Scotia (“Evans”) decision wherein the Ontario Supreme Court (the “Court”) certified a class action proceeding for allegations concerning a breach of privacy rights through the tort of intrusion upon seclusion first set out in Jones v Tsige (“Jones”).  You can access his blog here.

Evans has set a precedent for the low threshold required to be met for certification in class actions concerning breaches of information privacy. In this blog, we will canvass the implications of the EvansContinue Reading

You can stay anonymous: SCC recognizes a privacy interest in protecting anonymity on the Internet

Posted in Privacy

On June 13, 2014, in a landmark privacy ruling, the Supreme Court of Canada (“SCC”) in R v Spencer[1] (“Spencer”) unanimously recognized that, in addition to confidentiality and control of the use of personal information, there may be a privacy interest in protecting anonymity in the context of internet usage. In this decision, the SCC decided that a person has a reasonable expectation of privacy associated with Internet activities and that the “lawful authority” exemption in PIPEDA does not create a basis to provide such information to the police unless the police actually demonstrate that … Continue Reading

Notice and notice regime under C-11 coming into force

Posted in Copyright, Privacy

The Government announced today that the notice and notice regime established under C-11 is coming into force. The delay in bringing these provisions into force was a consultations on possible regulations that the regime permitted. The Government announced that the provisions are coming into force without regulations.

The regime permits copyright owners to send notices to internet service providers and other internet intermediaries claiming infringement of copyright. The notices must be passed on by these service providers to their users. Because there are no regulations, the notices must be processed and passed on by the internet intermediaries without any fees … Continue Reading