snIP/ITs Insights on Canadian Technology and Intellectual Property Law

Category Archives: Privacy

Subscribe to Privacy RSS Feed

Mobile App Privacy Practices: The Office of the Privacy Commissioner of Canada Issues Tips For Communicating Privacy Practices to App Users

Posted in Privacy

Communicating privacy practices to users of mobile apps can be challenging, especially given small screen sizes and the difficulty of capturing app user attention.  The Office of the Privacy Commissioner of Canada (OPC) has acknowledged these challenges and, in September 2014, published Ten Tips for Communicating Privacy Practices to Your App’s Users.

These tips were provided in connection with the findings of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which the OPC participated in along with twenty-five other privacy enforcement authorities from around the world.

The GPEN Privacy Sweep assessed 1,211 apps with a focus on … Continue Reading

Lapse of Alberta PIPA Thwarted

Posted in Privacy

In my blog dated October 17, 2014, titled, “Impending Lapse of PIPA Creates Uncertainty”, I explored the consequences of PIPA being struck had the Alberta government failed to amend PIPA to comply with the Canadian Charter of Rights and Freedom (the “Charter”) and meet the November 15, 2014 deadline.

Since my October 17, 2014 blog, I have had the opportunity to meet Jill Clayton, the Alberta Information and Privacy Commissioner. In my discussion with Jill Clayton, she advised me that, on October 31, 2014, the Alberta government was granted a 6 month extension to amend PIPA and ensure compliance. … Continue Reading

Impending Lapse of PIPA Creates Uncertainty

Posted in Privacy

On November 15, 2013, the Supreme Court of Canada struck down the Alberta Personal Information Protection Act (“PIPA”) in Alberta (Information and Privacy Commissioner) v United Food and Commercial Workers, Local 401, 2013 SCC 62 (“United Food”), and despite a one-year stay to allow for necessary amendments, delay on the part of the Alberta government has caused PIPA’s lapse to become an inevitability.

The SCC found that sections of PIPA violated the right to freedom of expression enshrined in s. 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”). Further, the SCC found … Continue Reading

“Objectively Reasonable” and Privacy: Recent Developments

Posted in Privacy

The ubiquitous and rapidly-evolving nature of technology has recently necessitated serious consideration of our “reasonable expectation of privacy.”  This concept is at the core of Canadian privacy law. In particular, the concept is a key part of the Charter test for s. 8, the right to be secure against unreasonable search and seizure. The Supreme Court of Canada (“SCC”) grappled with these questions in R v Cole[1] and R v Vu[2], and more recently, the British Columbia and Ontario Courts of Appeal applied these Charter principles to couriered packages and USB keys in R Continue Reading

Intrusion Upon Seclusion Part 2: Implications for Businesses Across Canada

Posted in Privacy

Recently, my colleagues Sean Griffin and Ann-Elisabeth Simard considered the Evans v Bank of Nova Scotia (“Evans”) decision wherein the Ontario Supreme Court (the “Court”) certified a class action proceeding for allegations concerning a breach of privacy rights through the tort of intrusion upon seclusion first set out in Jones v Tsige (“Jones”).  You can access his blog here.

Evans has set a precedent for the low threshold required to be met for certification in class actions concerning breaches of information privacy. In this blog, we will canvass the implications of the EvansContinue Reading

You can stay anonymous: SCC recognizes a privacy interest in protecting anonymity on the Internet

Posted in Privacy

On June 13, 2014, in a landmark privacy ruling, the Supreme Court of Canada (“SCC”) in R v Spencer[1] (“Spencer”) unanimously recognized that, in addition to confidentiality and control of the use of personal information, there may be a privacy interest in protecting anonymity in the context of internet usage. In this decision, the SCC decided that a person has a reasonable expectation of privacy associated with Internet activities and that the “lawful authority” exemption in PIPEDA does not create a basis to provide such information to the police unless the police actually demonstrate that … Continue Reading

Notice and notice regime under C-11 coming into force

Posted in Copyright, Privacy

The Government announced today that the notice and notice regime established under C-11 is coming into force. The delay in bringing these provisions into force was a consultations on possible regulations that the regime permitted. The Government announced that the provisions are coming into force without regulations.

The regime permits copyright owners to send notices to internet service providers and other internet intermediaries claiming infringement of copyright. The notices must be passed on by these service providers to their users. Because there are no regulations, the notices must be processed and passed on by the internet intermediaries without any fees … Continue Reading

What’s the difference between Google and an elephant? An elephant never forgets.

Posted in Privacy, Regulatory Compliance

Last month, in a bombshell decision, the European Union’s Court of Justice (“CJEU”) demanded that Google “forget” certain items. The demand resulted from a CJEU decision that individuals have a right to request that a search engine remove certain webpage links from the search results of a search including the individual’s name. The ruling is, for all intents and purposes, final.

In short, the CJEU decided that Google Inc. is subject to the EU Data Protection Directive 94/46 (“Direction”), even though its servers were located outside the EU. As a result, Google was a data processor and data controller within … Continue Reading

Big Data – Big Problem? The FTC Recommends the US Congress Reign in Data Brokers

Posted in Privacy

Big Data is the term used to describe the enormous datasets that are beyond the ability of most software to process. Statistical analysis of these giant data sets can allow the holder to predict baseball outcomes (think Moneyball), pregnancy  and, apparently, the stock market.

These enormous data sets however, are made up of data pertaining to individuals and the data brokers who amass these data sets have been less than forthcoming about the personal information they hold, raising privacy concerns.

This is the conclusion of a U.S. Federal Trade Commission (“FTC”) report last week which found “data brokers … Continue Reading

Privacy Breaches: Statutory Torts of the British Columbia’s Privacy Act Override Forum Selection Clauses

Posted in Privacy, Regulatory Compliance

On May 30, 2014, the Supreme Court of British Columbia rendered a judgment certifying a class action against Facebook Inc. (“Facebook”). In Douez v. Facebook Inc.[1], the plaintiff alleges that Facebook used the names or portraits of Facebook users without their consent in advertisements called Sponsored Stories in breach of section 3(2) of the British Columbia’s Privacy Act[2] which creates a statutory tort. This case, in a pre-certification stage, also dealt with the question of whether a court should decline its jurisdiction in presence of a forum selection clause or pursuant to the forum non Continue Reading

Barry Sookman comments on Google privacy case

Posted in Consumer Protection, Privacy

Our partner Barry Sookman was interviewed by CTV News Channel this morning to discuss today’s Court of Justice of the European Union judgment concerning Google and ordinary people’s “right to be forgotten”. The Court ruled that Google must amend some of its search results at the request of ordinary people when the results show links to outdated, irrelevant information. The case is bound to lead to further questions about the scope of the duties of search engines such as Google under EU laws.

View the interview here.… Continue Reading

Clotting Heartbleed: Guidance on Privacy Breaches, Notification Obligations and Proposed Amendments to Privacy Legislation

Posted in E-Commerce, Privacy, Regulatory Compliance

Canadian organizations with control over personal information should be aware of the privacy vulnerabilities of Heartbleed and their related legal obligations. Below, we have summarized: (1) the risks of Heartbleed; (2) the notification obligations of organizations that have experienced a privacy breach; (3) amendments to those obligations, as proposed by the federal government; and (4) recommendations  to protect your organization from privacy breaches and legal liability.

HEARTBLEED

Heartbleed is a serious security vulnerability that exists in certain versions of the OpenSSL software. OpenSSL is an open source software module created to implement certain cryptographic functions and provide various utility functions. … Continue Reading

The Digital Privacy Act: Proposed Amendments to PIPEDA

Posted in Privacy

On Tuesday April 2, 2014, the government gave first reading to proposed amendments to the Personal Information Protection and Electronic Documents Act (“PIPEDA”). These amendments have been tabled as Bill S-4 in the Senate (the “Bill”), which is entitled the Digital Privacy Act.

The Bill is broadly similar to the former Bill C-29 which was introduced in 2010 but never passed.  However there are some changes, particularly in introducing a new “compliance agreement” paradigm.

Broadly, the major changes proposed in the Bill can be summarized as follows.  The Bill would:

Ontario Superior Court Revisits and Broadens Jones v Tsige

Posted in Privacy

In the recent case, Hopkins v Kay, the Ontario Superior Court of Justice recently declined to strike a claim for the tort of intrusion upon seclusion. In doing so, the court appears to have broadened the scope of the tort of intrusion upon seclusion as set out in Jones v Tsige. Companies should be aware of the broadening of the tort of intrusion upon seclusion and take steps to prevent such intrusion.

Background

In January 2012, the Ontario Court of Appeal released Jones v Tsige, in which it held that there is a tort of intrusion upon … Continue Reading

2013 Technology Law Year in Review

Posted in Consumer Protection, Contracting/Outsourcing, E-Commerce, M&A/Finance, Privacy, Regulatory Compliance

2013 was a very active year in the tech sector in Canada.  Some of the leading developments over the last year are summarised below.

Tech Transactions – Turbulent Year for BlackBerry (Fairfax transaction)

2013 was a turbulent year for the Canadian leader of the telecommunications industry. It started with a change of name, from Research in Motion Ltd. to BlackBerry, in order to rebrand the company and to be more successful on the stock market. A few months later, BlackBerry publicly announced that it was reviewing its strategic alternatives for the future. In November, BlackBerry received an investment of U.S. … Continue Reading

Recent Lessons in Preparing for and Responding to Security Breaches

Posted in Privacy

Target recently acknowledged that it suffered a massive security breach over the holiday season between November 27 and December 15.  The result of the breach was that over 110 million credit and debit accounts which include customer names, credit and debit card numbers, card expiration dates and the three-digit security codes were stolen.

It was discovered during the investigation into the breach that the security breach was caused by a sophisticated malware that had the ability to infect individual point of sale devices, monitor data processes on the devices, then transmit the data outside of the retailer. The sophistication of … Continue Reading

The Right to be Forgotten

Posted in Privacy, Social Media

This past October, the European Parliament’s Committee on Civil Liberties, Justice and Home Affaires (“LIBE”) voted in favour of a major reform of the current European Union (“EU”) data protection regime consisting of the Data Protection Directive, introduced in 1995, and national legislative works existing across EU member states. Intended as a response to privacy concerns in respect of technological developments and recent cases involving mass surveillance, LIBE adopted a proposed General Data Protection Regulation (the “Regulation”), which, once in force, would not only represent a major change in the protection of personal information … Continue Reading

A Computer is Not a Cupboard: The SCC Grapples With Computer Searches

Posted in Privacy

The Supreme Court of Canada recently formulated new rules for computer searches by police, acknowledging that the traditional legal framework was inadequate to protect the privacy rights of individuals in their digital life. In R. v. Vu, 2013 SCC 60, the Court said that a police search of a computer now requires prior authorization in the form of a specific warrant.

Facts

The police had been tipped about electricity theft at a residence suspected of being used to cultivate marijuana. They obtained a warrant to search the residence for evidence of such theft, including information identifying the owners and/or … Continue Reading

SCC Strikes Down Alberta Privacy Legislation on Speech Grounds

Posted in Privacy

This morning, the Supreme Court of Canada released Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, an important decision relating to the intersection of freedom of expression and protection of privacy and, in the process, struck down Alberta’s Personal Information Protection Act, SA 2003, c. P-6.5 ( “PIPA”). At issue were the privacy rights created by the PIPA and the right to free expression, which is constitutionally enshrined as section 2(b) of the Canadian Charter of Rights and Freedoms (the “Charter”).

The case arose from a strike in 2006, at … Continue Reading

Under the Hood of Usage-Based Car Insurance: FSCO Issues Guidance on Privacy, Permissible Data Use, and Pricing

Posted in Privacy

The Next Big Thing in privacy is the advent of usage-based insurance (“UBI”), made possible by a telematics device – a small gizmo that plugs in to the diagnostic port of a car, monitors a driver’s driving habits, and sends that information wireless to an insurer/third party. Insurers in turn offer up to 25% savings on insurance rates based on “safer” driving. Available for over a year in the US, insurers have now begun offering similar programs in Canada, prompting the industry regulator in Ontario, the Financial Services Commission of Canada (“FSCO”), to release a bulletinContinue Reading

Manitoba Joins the Ranks of Other Provinces in Enacting its Own Private Sector Privacy Legislation

Posted in Privacy

The government of Manitoba recently enacted the Personal Information Protection and Identity Theft Prevention Act (“PIPITPA”) to regulate the collection, use and disclosure of personal information by the private sector in Manitoba.[1] The statute has not come into force but this enactment is momentous, as it will enable Manitoba to join the ranks of Alberta, British Columbia and Quebec, which all have their own private sector privacy legislation that is “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).[2] Manitoba is also the first province to move in this direction … Continue Reading

Personal Information and Privacy Issues in Business Transactions: Part 2

Posted in M&A/Finance, Privacy

In a previous blog entry we canvassed Canadian privacy legislation and offered businesses a cursory review on how to collect, use and disclose personal information legally in the context of a business transaction. Adding to that information, this entry will look at issues that arise during the due diligence phase of a business transaction and offer tips to assist organizations in complying with privacy obligations.

Due Diligence For Business Transactions

A comprehensive due diligence phase is often undertaken as one of the preliminary steps to help organizations evaluate business transactions. This evaluation looks to the potential value of the transaction … Continue Reading

Personal Information and Privacy Issues in Business Transactions: Part 1

Posted in M&A/Finance, Privacy

The free flow of information is essential to all business transactions and presents both opportunities and obligations for the organizations involved. Inadequate appreciation for the complexity of privacy legislation and the related implications can become not only an obstacle but a liability. This will be the first part in a series of articles that canvass the privacy issues that arise during business transactions. Part 1 will review the various legal regimes in Canada that regulate the collection, use and disclosure of personal information during business transactions.  Part 2 will look specifically at issues that arise during the due diligence phase … Continue Reading

Failure to properly wipe data from recycled server costs company $250K, an apology and 160,000 letters of notice

Posted in Privacy

In a tale of best intentions gone wrong, the Office of the Information and Privacy Commissioner of Alberta (“Commissioner”) recently found in Bow Valley College (Re), 2013 CanLII 52666 (AB OIPC) that an educational institution that recycled its servers without ensuring the data on them had been wiped had not met privacy requirements. The decision identifies some key considerations for corporations decommissioning and disposing of technology.

Context

Bow Valley College (“BVC”) had 21 servers it was decommissioning. Mindful of environmental concerns, it contacted a third party, the Electronic Recycling Association of Alberta (“ERA”), … Continue Reading