snIP/ITs Insights on Canadian Technology and Intellectual Property Law

Category Archives: Privacy

Subscribe to Privacy RSS Feed

Safari workaround claimants to get their day in UK court against Google: Google Inc v Vidal-Hall

Posted in Privacy

The ‘Safari workaround’ has cost Google millions. In 2012, it paid a civil penalty of US$22.5 million to settle charges brought by the US FTC that Google misrepresented to users of the Safari browser that it would not place tracking cookies or serve targeted advertisements to those users. In 2013 it paid US$17 million to settle US state consumer-based actions brought by State AGs.

Google was also sued over the Safari workaround in the UK by individuals claiming that Google was liable for the tort of misuse of private information and for breach of the UK Data Protection Act 1998 … Continue Reading

Canadian Courts Refuse to Settle for Weak Privacy Rights: “Imperial Oil Limited v Alberta”

Posted in Privacy

Overview

Last week, the Supreme Court of Canada (“SCC”) dismissed leave to appeal the Alberta Court of Appeal (“ABCA”) decision in Imperial Oil Limited v Alberta., thereby endorsing the ABCA’s approach to settlement privilege in the context of applications under the Freedom of Information and Protection of Privacy Act (“FOIPP”).[1] Settlement privilege is alive, well, and strongly protected in Alberta, even in the more public regulatory context, as long as parties fall within the exceptions set out in ss. 16 and 27 of FOIPP.Continue Reading

Bill C-13: Lawful Access and the Relationship Between Organizations, Cyber-bullying and the Protection of Privacy Rights

Posted in E-Commerce, Privacy, Social Media

On December 9, 2014, Bill C-13, An Act to amend the Criminal Code, the Canada Evidence Act, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Act) – also known as the Protecting Canadians from Online Crime Act –, received the royal assent. The Act will come into force on March 9, 2015.

The Act deals with the serious issues of online bullying, harassment and non-consensual circulation of intimate images and aims the protection of Canadians from cyber-bullying and other forms of Internet exploitation.

Significant amendment to the Criminal Code

The Act notably brought two … Continue Reading

PHIPA Does Not Preclude the Recourse to Common Law for Health Privacy Violations

Posted in Privacy, Technology License Agreement

Facts

‘‘With the click of a mouse, personal health records can be accessed by those who have a legitimate interest in properly treating a patient – or they can be accessed for an improper purpose.’’

These were the opening words of the Ontario Superior Court in the case of Hopkins v. Kay[1] where Representative Plaintiffs sought to bring a class action suit against a hospital and other defendants, alleging that approximately 280 patient records of the Peterborough Regional Health Centre (the ‘‘Hospital’’) were intentionally and wrongfully accessed by the Hospital’s staff and others.

The Plaintiffs based their claim on … Continue Reading

Mere Compliance With Privacy Requirements By Corporations may no Longer be Enough

Posted in Privacy, Technology License Agreement

Introduction

The Office of the Privacy Commissioner of Canada (‘‘OPC’’) recently published a research paper entitled ‘‘Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities’’ in which are outlined the common interests and tensions between privacy and cyber security. The report sets out key policy indications with a view to generating dialogue on cyber security as an important element of online protection, while acknowledging that cyberspace governance is a global issue.

Context

The OPC bases its report on the following factual premises. As technologies facilitating access to the Internet have become increasingly entrenched in everyday life, … Continue Reading

New Year, New Mandatory Breach Reporting

Posted in Data Breach, Privacy

Overview

It is rumoured that Bill 12 that amended the Alberta Health Information Act (“HIA”), passed on May 14, 2014, will come into force this year.  Bill 12 made 3 significant changes to the HIA:

  1. adds mandatory breach notification provisions;
  2. authorizes the Office of the Information and Privacy Commissioner (“OIPC”) to disclose information about a breach in certain situations; and
  3. creates new offences and penalties.

We will discuss these 3 amendments in turn.

Continue Reading

Alberta PIPA Amendments: Much Ado About Nothing?

Posted in Privacy

Just in time for the new year, the Alberta’s Personal Information Protection Act (“PIPA”) was amended by Bill 3 which came into force on December 17, 2014.  These amendments were in response to the Supreme Court of Canada decision to struck down PIPA in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”) on the basis that it infringed on the union’s freedom of expression.

Continue Reading

The “Right to be Forgotten” Guideline from the Article 29 Working Party

Posted in Privacy

In the landmark ruling in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (case no. C-131/12, May 13, 2014), the Court of Justice of the European Union (CJEU) recognized that search engines are controllers of the personal information they process. As such, they have the obligation, in appropriate cases, to de-list links to personal information in their search results.

The Gonzales decision left open questions about the scope of the duty and the criteria to be used in determining what links must be delisted, something which Google, data protection authorities, and others had … Continue Reading

SCC Holds Disclosure of Private Communications Engages Constitutional Rights

Posted in Privacy

In its Nov. 14, 2014 decision in Wakeling v. United States of America, 2014 SCC 72, the Supreme Court of Canada (SCC) held that s. 8 of the Canadian Charter of Rights and Freedoms (the Charter) (the right to be free from unreasonable search and seizure) applies to the disclosure of communications obtained through a wiretap to police authorities in a foreign jurisdiction.… Continue Reading

The most hackable month of the year: steps companies can take to protect themselves from data breaches

Posted in Data Breach, E-Commerce, Privacy

In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data.

How big is the risk?

The malevolently-inclined are getting more ambitious (a 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector suggests that average size of a breach is about 30,000 records) and more damaging (average loss is now about $105 per stolen record). The same study estimated that the average cost of a cybercrime for the retailer is about $3.15-million. … Continue Reading

Mobile App Privacy Practices: The Office of the Privacy Commissioner of Canada Issues Tips For Communicating Privacy Practices to App Users

Posted in Privacy

Communicating privacy practices to users of mobile apps can be challenging, especially given small screen sizes and the difficulty of capturing app user attention.  The Office of the Privacy Commissioner of Canada (OPC) has acknowledged these challenges and, in September 2014, published Ten Tips for Communicating Privacy Practices to Your App’s Users.

These tips were provided in connection with the findings of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which the OPC participated in along with twenty-five other privacy enforcement authorities from around the world.

The GPEN Privacy Sweep assessed 1,211 apps with a focus on … Continue Reading

Lapse of Alberta PIPA Thwarted

Posted in Privacy

In my blog dated October 17, 2014, titled, “Impending Lapse of PIPA Creates Uncertainty”, I explored the consequences of PIPA being struck had the Alberta government failed to amend PIPA to comply with the Canadian Charter of Rights and Freedom (the “Charter”) and meet the November 15, 2014 deadline.

Since my October 17, 2014 blog, I have had the opportunity to meet Jill Clayton, the Alberta Information and Privacy Commissioner. In my discussion with Jill Clayton, she advised me that, on October 31, 2014, the Alberta government was granted a 6 month extension to amend PIPA and ensure compliance. … Continue Reading

Impending Lapse of PIPA Creates Uncertainty

Posted in Privacy

On November 15, 2013, the Supreme Court of Canada struck down the Alberta Personal Information Protection Act (“PIPA”) in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”), and despite a one-year stay to allow for necessary amendments, delay on the part of the Alberta government has caused PIPA’s lapse to become an inevitability.

The SCC found that sections of PIPA violated the right to freedom of expression enshrined in s. 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”). Further, the SCC found … Continue Reading

“Objectively Reasonable” and Privacy: Recent Developments

Posted in Privacy

The ubiquitous and rapidly-evolving nature of technology has recently necessitated serious consideration of our “reasonable expectation of privacy.”  This concept is at the core of Canadian privacy law. In particular, the concept is a key part of the Charter test for s. 8, the right to be secure against unreasonable search and seizure. The Supreme Court of Canada (“SCC”) grappled with these questions in R v Cole[1] and R v Vu[2], and more recently, the British Columbia and Ontario Courts of Appeal applied these Charter principles to couriered packages and USB keys in R Continue Reading

Intrusion Upon Seclusion Part 2: Implications for Businesses Across Canada

Posted in Privacy

Recently, my colleagues Sean Griffin and Ann-Elisabeth Simard considered the Evans v Bank of Nova Scotia (“Evans”) decision wherein the Ontario Supreme Court (the “Court”) certified a class action proceeding for allegations concerning a breach of privacy rights through the tort of intrusion upon seclusion first set out in Jones v Tsige (“Jones”).  You can access his blog here.

Evans has set a precedent for the low threshold required to be met for certification in class actions concerning breaches of information privacy. In this blog, we will canvass the implications of the EvansContinue Reading

You can stay anonymous: SCC recognizes a privacy interest in protecting anonymity on the Internet

Posted in Privacy

On June 13, 2014, in a landmark privacy ruling, the Supreme Court of Canada (“SCC”) in R v Spencer[1] (“Spencer”) unanimously recognized that, in addition to confidentiality and control of the use of personal information, there may be a privacy interest in protecting anonymity in the context of internet usage. In this decision, the SCC decided that a person has a reasonable expectation of privacy associated with Internet activities and that the “lawful authority” exemption in PIPEDA does not create a basis to provide such information to the police unless the police actually demonstrate that … Continue Reading

Notice and notice regime under C-11 coming into force

Posted in Copyright, Privacy

The Government announced today that the notice and notice regime established under C-11 is coming into force. The delay in bringing these provisions into force was a consultations on possible regulations that the regime permitted. The Government announced that the provisions are coming into force without regulations.

The regime permits copyright owners to send notices to internet service providers and other internet intermediaries claiming infringement of copyright. The notices must be passed on by these service providers to their users. Because there are no regulations, the notices must be processed and passed on by the internet intermediaries without any fees … Continue Reading

What’s the difference between Google and an elephant? An elephant never forgets.

Posted in Privacy, Regulatory Compliance

Last month, in a bombshell decision, the European Union’s Court of Justice (“CJEU”) demanded that Google “forget” certain items. The demand resulted from a CJEU decision that individuals have a right to request that a search engine remove certain webpage links from the search results of a search including the individual’s name. The ruling is, for all intents and purposes, final.

In short, the CJEU decided that Google Inc. is subject to the EU Data Protection Directive 94/46 (“Direction”), even though its servers were located outside the EU. As a result, Google was a data processor and data controller within … Continue Reading

Big Data – Big Problem? The FTC Recommends the US Congress Reign in Data Brokers

Posted in Privacy

Big Data is the term used to describe the enormous datasets that are beyond the ability of most software to process. Statistical analysis of these giant data sets can allow the holder to predict baseball outcomes (think Moneyball), pregnancy  and, apparently, the stock market.

These enormous data sets however, are made up of data pertaining to individuals and the data brokers who amass these data sets have been less than forthcoming about the personal information they hold, raising privacy concerns.

This is the conclusion of a U.S. Federal Trade Commission (“FTC”) report last week which found “data brokers … Continue Reading

Privacy Breaches: Statutory Torts of the British Columbia’s Privacy Act Override Forum Selection Clauses

Posted in Privacy, Regulatory Compliance

On May 30, 2014, the Supreme Court of British Columbia rendered a judgment certifying a class action against Facebook Inc. (“Facebook”). In Douez v. Facebook Inc.[1], the plaintiff alleges that Facebook used the names or portraits of Facebook users without their consent in advertisements called Sponsored Stories in breach of section 3(2) of the British Columbia’s Privacy Act[2] which creates a statutory tort. This case, in a pre-certification stage, also dealt with the question of whether a court should decline its jurisdiction in presence of a forum selection clause or pursuant to the forum non Continue Reading

Barry Sookman comments on Google privacy case

Posted in Consumer Protection, Privacy

Our partner Barry Sookman was interviewed by CTV News Channel this morning to discuss today’s Court of Justice of the European Union judgment concerning Google and ordinary people’s “right to be forgotten”. The Court ruled that Google must amend some of its search results at the request of ordinary people when the results show links to outdated, irrelevant information. The case is bound to lead to further questions about the scope of the duties of search engines such as Google under EU laws.

View the interview here.… Continue Reading

Clotting Heartbleed: Guidance on Privacy Breaches, Notification Obligations and Proposed Amendments to Privacy Legislation

Posted in E-Commerce, Privacy, Regulatory Compliance

Canadian organizations with control over personal information should be aware of the privacy vulnerabilities of Heartbleed and their related legal obligations. Below, we have summarized: (1) the risks of Heartbleed; (2) the notification obligations of organizations that have experienced a privacy breach; (3) amendments to those obligations, as proposed by the federal government; and (4) recommendations  to protect your organization from privacy breaches and legal liability.

HEARTBLEED

Heartbleed is a serious security vulnerability that exists in certain versions of the OpenSSL software. OpenSSL is an open source software module created to implement certain cryptographic functions and provide various utility functions. … Continue Reading

The Digital Privacy Act: Proposed Amendments to PIPEDA

Posted in Privacy

On Tuesday April 2, 2014, the government gave first reading to proposed amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). These amendments have been tabled as Bill S-4 in the Senate (the “Bill”), which is entitled the Digital Privacy Act.

The Bill is broadly similar to the former Bill C-29 which was introduced in 2010 but never passed.  However there are some changes, particularly in introducing a new “compliance agreement” paradigm.

Broadly, the major changes proposed in the Bill can be summarized as follows.  The Bill would:

  • Require mandatory reporting of security breaches
Continue Reading

Ontario Superior Court Revisits and Broadens Jones v Tsige

Posted in Privacy

In the recent case, Hopkins v Kay, the Ontario Superior Court of Justice recently declined to strike a claim for the tort of intrusion upon seclusion. In doing so, the court appears to have broadened the scope of the tort of intrusion upon seclusion as set out in Jones v Tsige. Companies should be aware of the broadening of the tort of intrusion upon seclusion and take steps to prevent such intrusion.

Background

In January 2012, the Ontario Court of Appeal released Jones v Tsige, in which it held that there is a tort of intrusion upon … Continue Reading