Following the 2012 decision of Jones v Tsige (“Jones”), there has been judicial debate in Canada over the recognition and adoption of common law privacy torts, such as the tort of intrusion upon seclusion. Recently, the Ontario Superior Court of Justice in Doe v D (“Doe”) expressly recognized the tort of “public disclosure of private facts” to expand the scope of privacy protection in Canadian common law. … Continue Reading
Regular readers of this blog will be aware that, last fall, the Court of Justice of the European Union struck down the Safe Harbour framework which permitted the lawful transfer of personal information from the EU to the US through a self-certification model. Negotiations between the European and US authorities to update or replace the framework were already underway prior to this decision, but the Court’s intervention raised the stakes dramatically. The Article 29 Working Party (WP29) had set a deadline of the end of January after which European Data Protection Authorities (DPAs) might begin coordinated enforcement actions against organizations … Continue Reading
Throughout 2015, the Online Trust Alliance (“OTA”) (a U.S.-based non-profit organization which originated in 2005 as an informal industry working group drawn largely from the technology and marketing communities) has been working on a so-called “Trust Framework” for the Internet of Things. An earlier post covered the release of the first discussion draft in August.
Although this draft is described as “pre-release”, the OTA’s consultation process for the framework appears to be over now. … Continue Reading
Given the popularity and prevalence of mobile devices such as smart phones and tablets in today’s world, it is no surprise that Bring Your Own Device (“BYOD”) programs have become an increasingly common arrangement for organizations. BYOD programs allow employees to use their own mobile device for both personal and business purposes, blurring the traditional line between work and play. A recent report indicates that more than 75% of Canadian businesses support employee-purchased smartphones and tablets in the workplace.
Properly implemented BYOD programs are appealing to organizations for many reasons. First, it allows them to save substantially … Continue Reading
On Friday, October 16, 2015, the Article 29 Working Party (“WP29”) released a statement on the decision of the Court of Justice of the European Union (“CJEU”) in the case Schrems v Data Protection Commissioner (C-362-14), the landmark decision which invalidated the decision of the European Commission underpinning the Safe Harbour framework by which personal information was permitted to move from the EU to the United States.… Continue Reading
On October 6, 2015, the Court of Justice of the European Union (“CJEU”) declared that the US-EU Safe Harbour framework is invalid, striking it down in the highly anticipated case of Schrems v. Data Protection Commissioner. The decision is effective immediately, with far-reaching and widespread implications for entities with multinational data flows.
Since EU data protection laws purport to apply to the processing of personal data regardless of whether the individuals affected are EU citizens or not, or are physically present in the EU or not, the potential impacts of this decision go beyond those organizations with … Continue Reading
In the recent decision of Doe v Her Majesty The Queen, 2015 FC 916 (“Doe”), the Federal Court granted conditional certification of a class action brought on behalf of members of the Marihuana Medical Access Program (“MMAP“). This conditional certification is notable as it, alongside the recent case Evans v. Bank of Nova Scotia (“Evans“), is one of the few class actions certified in Canada relating to breaches of privacy. Particularly of interest is the Plaintiffs’ allegation that the Defendant committed the tort of intrusion upon seclusion and of publicity given to private … Continue Reading
By some estimates, there were more than 2 wireless networked devices for every person on the planet in 2014. The multiplier is expected to reach 5 by the year 2020.
This explosive proliferation of networked technology offers remarkable opportunities, but also inspires concern that the connected future may result in ubiquitous, inescapable, surveillance of every aspect of our lives. Legislators and regulators around the world are grappling with the implications of this technology for the ability to protect personal privacy interests and the practical problems of applying legal regimes originally developed in a very different era.
Against this backdrop, … Continue Reading
In today’s Internet, advertising is ubiquitous. It is the main source of revenue for many web sites and services. It is also the subject of increasing scrutiny by privacy advocates and regulators, as advertisers and ad networks develop ever-more sophisticated means to track and profile users in the quest to optimize their effectiveness.
In Canada, online behavioural advertising (sometimes referred to as interest-based advertising) has been the subject of significant attention from the Office of the Privacy Commissioner. The Office recently released a research report on the subject, concluding that many organizations and web sites are not fully-compliant with the … Continue Reading
However, local laws sometimes modify or invalidate these kinds of agreements. For … Continue Reading
The Ontario Securities Commission (“OSC”) has announced a series of criminal and quasi-criminal charges following an investigation related to the misuse of confidential patient information from the Rouge Valley Health System and the Scarborough Hospital. The OSC charges stem from allegations that a RESP sales representative purchased stolen maternity patient labels from a hospital nurse over a two-and-a-half-year period. The health information of approximately 14,000 new mothers was allegedly compromised.
This comes 6 months after a separate review by the Information and Privacy Commissioner of Ontario (“IPC”) which determined that Rouge Valley Health System failed to put in place “reasonable … Continue Reading
Grant v. Winnipeg Regional Health Authority et al., 2015 MBCA 44 (“Grant”), is a successful appeal of the decision of the motion judge, which upheld the decision of the Master striking parts of an amended statement of claim as disclosing no reasonable cause of action. In doing so, the Manitoba Court of Appeal (the “Court”) held that the tort of intrusion upon seclusion, as set out in Jones v Tsige, may allow family members, who claim to have suffered as a result of a breach of a privacy interest of another member, to advance … Continue Reading
On March 24, the BC Freedom of Information and Privacy Association (FIPA) released a report titled, “The Connected Car: Who Is In the Driver’s Seat” (the “Report”). The 123-page Report describes the increasing use of digital features and services in today’s automobiles and, among other things, recommends that the federal government enact data protection regulations aimed specifically at the auto sector. The Report is authored principally by Phillippa Lawson, formerly the Executive Director of the Canadian Internet Policy and Public Interest Clinic.
There is more and more software being used in vehicles, and there are a growing number … Continue Reading
McCarthy Tétrault has just launched its twelfth blog, CyberLex, at http://www.canadiancybersecuritylaw.com. This blog discusses trends and developments in cybersecurity, privacy and data protection law in Canada and internationally; offers practical suggestions and insights on how these issues affect companies in a wide variety of industries; and provides guidance on how to address various challenges and opportunities created by technology and legislative developments.
The ‘Safari workaround’ has cost Google millions. In 2012, it paid a civil penalty of US$22.5 million to settle charges brought by the US FTC that Google misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In 2013 it paid US$17 million to settle US state consumer-based actions brought by State AGs.
Google was also sued over the Safari workaround in the UK by individuals claiming that Google was liable for the tort of misuse of private information and for breach of the UK Data Protection Act 1998 … Continue Reading
Last week, the Supreme Court of Canada (“SCC”) dismissed leave to appeal the Alberta Court of Appeal (“ABCA”) decision in Imperial Oil Limited v Alberta., thereby endorsing the ABCA’s approach to settlement privilege in the context of applications under the Freedom of Information and Protection of Privacy Act (“FOIPP”). Settlement privilege is alive, well, and strongly protected in Alberta, even in the more public regulatory context, as long as parties fall within the exceptions set out in ss. 16 and 27 of FOIPP.… Continue Reading
On December 9, 2014, Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Act) – also known as the Protecting Canadians from Online Crime Act –, received the royal assent. The Act will come into force on March 9, 2015.
The Act deals with the serious issues of online bullying, harassment and non-consensual circulation of intimate images and aims the protection of Canadians from cyber-bullying and other forms of Internet exploitation.
Significant amendment to the Criminal Code
The Act notably brought two … Continue Reading
‘‘With the click of a mouse, personal health records can be accessed by those who have a legitimate interest in properly treating a patient – or they can be accessed for an improper purpose.’’
These were the opening words of the Ontario Superior Court in the case of Hopkins v. Kay where Representative Plaintiffs sought to bring a class action suit against a hospital and other defendants, alleging that approximately 280 patient records of the Peterborough Regional Health Centre (the ‘‘Hospital’’) were intentionally and wrongfully accessed by the Hospital’s staff and others.
The Plaintiffs based their claim on … Continue Reading
The Office of the Privacy Commissioner of Canada (‘‘OPC’’) recently published a research paper entitled ‘‘Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities’’ in which are outlined the common interests and tensions between privacy and cyber security. The report sets out key policy indications with a view to generating dialogue on cyber security as an important element of online protection, while acknowledging that cyberspace governance is a global issue.
The OPC bases its report on the following factual premises. As technologies facilitating access to the Internet have become increasingly entrenched in everyday life, … Continue Reading
It is rumoured that Bill 12 that amended the Alberta Health Information Act (“HIA”), passed on May 14, 2014, will come into force this year. Bill 12 made 3 significant changes to the HIA:
- adds mandatory breach notification provisions;
- authorizes the Office of the Information and Privacy Commissioner (“OIPC”) to disclose information about a breach in certain situations; and
- creates new offences and penalties.
We will discuss these 3 amendments in turn.
Just in time for the new year, the Alberta’s Personal Information Protection Act (“PIPA”) was amended by Bill 3 which came into force on December 17, 2014. These amendments were in response to the Supreme Court of Canada decision to struck down PIPA in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”) on the basis that it infringed on the union’s freedom of expression.
In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.
The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had … Continue Reading
In its Nov. 14, 2014 decision in Wakeling v. United States of America, 2014 SCC 72, the Supreme Court of Canada (SCC) held that s. 8 of the Canadian Charter of Rights and Freedoms (the Charter) (the right to be free from unreasonable search and seizure) applies to the disclosure of communications obtained through a wiretap to police authorities in a foreign jurisdiction.… Continue Reading
In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data.
How big is the risk?
The malevolently-inclined are getting more ambitious (a 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector suggests that average size of a breach is about 30,000 records) and more damaging (average loss is now about $105 per stolen record). The same study estimated that the average cost of a cybercrime for the retailer is about $3.15-million. … Continue Reading