Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
Today the Supreme Court of Canada issued a very important privacy decision in R v Jarvis. I say it’s important for a number of reasons. First, it’s an important decision that strongly defines expectation of privacy for the Canadian Criminal Code offence of voyeurism. Second, I expect it will have serious knock-on effects on considering privacy in the regulatory and common-law contexts. Finally, it will inform other instances in our Criminal Code where an expectation of privacy is relevant. The decision has a very highly nuanced and contextual test for determining where there is a reasonable expectation of privacy.
The case is largely about a teacher in a high school who used a covert, miniature camera to take videos of young women’s cleavage over more than a year. It was discovered and he was charged under the relatively new voyeurism offence in the Code. Two essential elements of the offence are that there have to be circumstances that give rise to a reasonable expectation of privacy and the recording has to be done for a sexual purpose.* In R v Jarvis, the recording took place in otherwise “public areas” of the school, so not in washrooms or changing rooms. It also has to be "surreptitious", but the observation itself was not surreptitious. What was being recorded was largely observed in real-time by the teacher. The recording was surreptitious.
The trial judge found that there was a reasonable expectation of privacy but the crown had not proven the sexual purpose beyond a reasonable doubt. It’s hard to get one’s head around that, as the teacher had many, many recordings spanning more than a year of students’ cleavage and chest areas. I’m not sure what other purpose he could have had.
The crown appealed to the Ontario Court of Appeal, which had little difficulty concluding that there was a sexual purpose but split on the reasonable expectation of privacy in a "public place" where the young women could generally be observed by teachers and other students.
On appeal to the Supreme Court of Canada, the Court found the accused to be guilty of the offence and provided a very nuanced and contextual framework for determining where and when there is a reasonable expectation of privacy. What is particularly notable for technology lawyers is the role that the covert recording device plays in this analysis. It is not simply a matter that what was recorded could have been observed with one’s bare eyes. The tech plays a role in a couple of ways. Recording is more intrusive than mere observation and awareness of (or the lack of awareness) the observation also plays an important role.
The Court provided a non-exhaustive list of nine factors that courts should consider in deciding the question:
 The following non-exhaustive list of considerations may assist a court in determining whether a person who was observed or recorded was in circumstances that give rise to a reasonable expectation of privacy:
(1) The location the person was in when she was observed or recorded. The fact that the location was one from which the person had sought to exclude all others, in which she felt confident that she was not being observed, or in which she expected to be observed only by a select group of people may inform whether there was a reasonable expectation of privacy in a particular case.
(2) The nature of the impugned conduct, that is, whether it consisted of observation or recording. Given that recording is more intrusive on privacy than mere observation, a person’s expectation regarding whether she will be observed may reasonably be different than her expectation regarding whether she will be recorded in any particular situation. The heightened impact of recording on privacy has been recognized by this Court in other contexts, as will be discussed further at para. 62 of these reasons.
(3) Awareness of or consent to potential observation or recording. I will discuss further how awareness of observation or recording may inform the reasonable expectation of privacy inquiry at para. 33 of these reasons.
(4) The manner in which the observation or recording was done. Relevant considerations may include whether the observation or recording was fleeting or sustained, whether it was aided or enhanced by technology and, if so, what type of technology was used. The potential impact of evolving technologies on privacy has been recognized by the courts, as I will discuss further at para. 63 of these reasons.
(5) The subject matter or content of the observation or recording. Relevant considerations may include whether the observation or recording targeted a specific person or persons, what activity the person who was observed or recorded was engaged in at the relevant time, and whether the focus of the observation or recording was on intimate parts of a person’s body. This Court has recognized, in other contexts, that the nature and quality of the information at issue are relevant to assessing reasonable expectations of privacy in that information. As I will discuss further at paras. 65-67 of these reasons, this principle is relevant in the present context as well.
(6) Any rules, regulations or policies that governed the observation or recording in question. However, formal rules, regulations or policies will not necessarily be determinative, and the weight they are to be accorded will vary with the context.
(7) The relationship between the person who was observed or recorded and the person who did the observing or recording. Relevant considerations may include whether the relationship was one of trust or authority and whether the observation or recording constituted a breach or abuse of the trust or authority that characterized the relationship. This circumstance is relevant because it would be reasonable for a person to expect that another person who is in a position of trust or authority toward her will not abuse this position by engaging in unconsented, unauthorized, unwanted or otherwise inappropriate observation or recording.
(8) The purpose for which the observation or recording was done. I will explain why this may be a relevant consideration at paras. 31-32 of these reasons.
(9) The personal attributes of the person who was observed or recorded. Considerations such as whether the person was a child or a young person may be relevant in some contexts.
 I emphasize that the list of considerations that can reasonably inform the inquiry into whether a person who was observed or recorded had a reasonable expectation of privacy is not exhaustive. Nor will every consideration listed above be relevant in every case. For example, recordings made using a camera hidden inside a washroom will breach reasonable expectations of privacy regardless of the purpose for which they are made, the age of the person recorded, or the relationship between the person recorded and the person who did the recording. In another context, however, these latter considerations may play a more significant role. The inquiry is a contextual one, and the question in each case is whether there was a reasonable expectation of privacy in the totality of the circumstances.
While anyone could have observed these young women in a relatively public place, what made it particularly problematic was the person who did the observing, in their position of power as a teacher, the victim of the offence, what was focused on and the manner of the observing. Not all of the factors weigh strongly in favour of a finding reasonable expectation of privacy in this case, but the vast majority of them do.
So what does this mean? I expect that we'll be able to see more charges and convictions for similar practices, including "upskirting". We'll also have to see a more nuanced discussion about what is an expectation of privacy in generally public places and I'm confident this will inform judicial decision-making in the context of the privacy torts, which largely hinge on reasonable expectations of privacy, and what it unreasonable. We'll also have to think hard about what role technology plays in privacy, particularly where CCTV cameras are said to be largely equivalent to real-time supervision by managers.
One aspect that I haven't really turned my mind to at this point is the impact of this analysis on expectations of privacy vis-a-vis the state, where section 8 of the Charter is concerned.
* There are other permutations that can give rise to the offence, which do require an expectation of privacy and are largely place-based:
162 (1) Every one commits an offence who, surreptitiously, observes — including by mechanical or electronic means — or makes a visual recording of a person who is in circumstances that give rise to a reasonable expectation of privacy, if
(a) the person is in a place in which a person can reasonably be expected to be nude, to expose his or her genital organs or anal region or her breasts, or to be engaged in explicit sexual activity;
(b) the person is nude, is exposing his or her genital organs or anal region or her breasts, or is engaged in explicit sexual activity, and the observation or recording is done for the purpose of observing or recording a person in such a state or engaged in such an activity; or
(c) the observation or recording is done for a sexual purpose.
At least in a school, subsections (a) and (b) would generally be found in washrooms and change rooms.
This week, I was pleased to be asked to be on a panel with Daniela Bassan on digital evidence for the Canadian Bar Association - Nova Scotia Annual Conference. I spoke about the mechanics of trying to gather and preserve digital (mainly online) information, and Daniela spoke about the process of getting court orders to preserve and access information from third parties.
Continue to be technology neutral and principles-based, because these features enable the law to endure over time and create a level playing field, but it should mostly be drafted as a rights based statute, meaning a law that confers enforceable rights to individuals, while also allowing for responsible innovation.
Maintain an important place for meaningful consent but it should also consider other ways to protect privacy where consent may not work, for instance in certain circumstances involving the development of artificial intelligence. The concept of ‘legitimate interest’ in the GDPR may provide one such alternate approach.
Empower a public authority to issue binding guidance or rules that would clarify how general principles and broadly framed rights are to apply in practice. A principles based legislation has important virtues, but it does not bring an adequate level of certainty to individuals and organizations. Binding guidance or rules would ensure a more practical understanding of what the law requires. They could also be amended more easily than legislation as technology evolves.
Confer to the OPC stronger enforcement powers, including the power to make orders and impose fines for non-compliance with the law. These powers should include the right to independently verify compliance, without grounds, to ensure organizations are truly accountable to Canadians for the protection of their personal information.
Give the OPC the ability to choose which complaints to investigate, in order to focus limited resources on issues that pose the highest risk or may have greatest impact for Canadians. At the same time, to ensure no one is left without a remedy, give individuals a private right of action for PIPEDA violations.
Allow different regulators to share information. Meaningful protection of consumers and citizens in the fast-paced digital and data-driven economy understandably must involve several regulators, and they must be able to better coordinate their work.
Finally, it is absolutely imperative for privacy laws to be applied to Canadian political parties.
I agree wholeheartedly with the last bullet point, but I think we should hold off before revamping our privacy law. In my view, it works and it works well. The only impetus for change would be the adequacy determination from Europe, which is not scheduled until 2020. At that point, we'll have an understanding of what's necessary to maintain this important status. In the meantime, the OPC hasn't made a strong case for order making powers. We would have two choices: either create a Privacy Tribunal like the Canadian Human Rights Tribunal (which is often pointed to as a poster-child of inefficiency) or turn the Office of the Privacy Commissioner into something like the CRTC's CASL enforcement group (which has problems of overreach and a clear propensity towards zealous punishment of companies that are making a good faith effort to comply with the law).
A diligent privacy consultant will do a thorough privacy impact assessment, a threat risk assessment or a gap analysis. They'll take a thorough look at your current practices and benchmark them against not just your competitors but against best practices. Most companies will fall short in one way or another, and many will decide to only address 70% of the risks identified. But what about the other 30%? If you're later sued, your consultant's report will suggest to a judge or a jury that you decided not to get your house in order. What might have been negligence can quickly become recklessness.
The reality is that nothing that a consulant produces for you -- unless they are properly teamed with legal counsel -- will be privileged. I've seen loads of consultants who mark their reports as privileged, but a legend on a document will never stand up in court.
I'm involved with a class action lawsuit where the defendant had, on multiple occasions, brought in a privacy consultant to advise on a range of matters. As a diligent consultant should, they identified a number of problems with processes, practices and policies. They almost called the situation a dumpster fire. The organization sought to address most of these, but they didn't focus on all of them. When a huge breach happened and a huge class action lawsuit followed, the breach could be easily attributed to one of the areas where insufficient remediation took place. They went from being careless to being reckless. And the consultant's report will be Exhibit A in the lawsuit.
Even the most diligent organization, when it takes a microscope to its practices, will discover problems. Unless you're going to address every single shortcoming, you need to be aware of what you might discover. And what you discover may be handed on a silver platter to the plaintiffs.
In the case I'm referring to, if this report had been prepared by legal counsel--focusing on advising the organization about its actual legal risk rather than benchmarking against nebulous best practices--it never would become Exhibit A in the class action.
In this age of breach notification, when class actions will inevitably follow notifications, you need to make sure that you know your risks so you can address the most serious of them. And you need to make sure that these reports are truly seeking legal advice and will never see the light of day.
With many of my clients, we've been harnessing the capabilities of privacy consultants while structuring the engagement to make sure that all the findings are shielded from litigation discovery.
If you hire consultants, think about what might happen after a breach and you have to hand them over to plaintiffs' counsel. That can be addressed right now and you should think about it.
I had the pleasure of giving a presentation to the Atlantic Security Conference this afternoon on Canada's new data breach notification regime, which is coming into effect on November 1, 2018. It's posted below in case it's of interest to a wider audience.
One thing that I did emphasise, which I'll do again here, is that the Canada Border Services Agency takes the view what they can search all digital information that crosses the border. I am of the view that this is legally incorrect, so asserting your rights will likely result in being charged for obstruction of a CBSA officer.
Online reputation is the nice way of saying "right to be forgotten" or "right to erasure". And the OPC's draft position is that such a right exists under PIPEDA and involves manadatory "de-indexing of search results".
Here's the OPC's press release on this latest development:
Improvements needed to protect online reputation, Privacy Commissioner says
New report sets out recourses such as the right to ask search engines to de-index web pages and takedown of online information; emphasizes the need for education
GATINEAU, QC, January 26, 2018 – Canadians need better tools to help them to protect their online reputation, says a new report by the Office of the Privacy Commissioner of Canada.
The report highlights measures such as the right to ask search engines to de-index web pages that contain inaccurate, incomplete or outdated information; removal or amendment of information at the source; and education to help develop responsible, informed online citizens.
“There is little more precious than our reputation. But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes. Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove,” says Privacy Commissioner Daniel Therrien.
“Canadians have told us they are concerned about these growing risks to their reputation. We want to provide people with greater control to protect themselves from these reputational risks. Ultimately, the objective is to create an environment where people can use the Internet to explore and develop without fear their digital traces will lead to unfair treatment. ”
The Office of the Privacy Commissioner of Canada’s draft Position on Online Reputation aims to highlight existing protections in Canada’s federal private sector privacy law, identify potential legislative changes and propose other solutions for consideration.
The report follows a consultation process aimed at identifying new and innovative ways to protect reputational privacy, a key OPC priority. A discussion paper and call for essays resulted in 28 submissions from stakeholders which helped inform this report.
With respect to existing protections, the report notes that the federal private sector privacy law provides for a right to de-indexing – which removes links from search results without deleting the content itself – under certain circumstances and upon request.
Canadians should also be permitted to easily delete information they’ve posted about themselves on a commercial forum, for instance a social media site. In cases where others have posted information about an individual, they have a right to challenge and seek amendment to demonstrably illegal, inaccurate, incomplete and out of date information, the report says.
All of these considerations need to be balanced with other important values such as freedom of expression and public interest.
For their part, search engines and websites have an obligation to assess requests from individuals for information to be de-indexed or taken down and are generally equipped to do so through existing customer complaints channels. If a matter cannot be resolved, individuals have a right to complain to the Office of the Privacy Commissioner of Canada.
“While it’s important to take action on de-indexing, we are also recommending that Parliament undertake a study of this issue. Elected officials should confirm the right balance between privacy and freedom of expression in our democratic society,” says Commissioner Therrien.
There are a number of circumstances which could potentially be the subjects of de-indexing or takedown requests. For example, an adult may feel their reputation is harmed by controversial views they held as a teenager and posted online. Other examples could include defamatory content in a blog; photos of a minor that later cause reputational harm; intimate photos; or online information about someone’s religion, mental health or other highly sensitive information.
While the combination of the ability to request de-indexing and source takedown of information shares similarities with the Right to Erasure (Right to be Forgotten) in Europe, the report does not seek to import a European framework into Canada. Rather, it is an interpretation of current Canadian law, and the remedies related to online reputation that can be found within the existing law.
The report also emphasizes the importance of privacy education.
Along with its provincial and territorial counterparts, the OPC has sent a joint letter to the Canadian Council of Ministers of Education calling for privacy protection to be incorporated into curriculum for digital education across the country.
“We want young Canadians to develop into good online citizens,” Commissioner Therrien says. “Youth need the technical knowledge to protect themselves, along with a strong understanding of how to act responsibly online and why it’s important.”
The report is also calling on Parliament to establish a stronger ability for youth to request and obtain the deletion of information they themselves have posted on social media, and in appropriate cases, information posted about them online by their parents or guardians when they reach the age of majority.
Other proposed solutions focus on educating all Canadians about available mechanisms to control reputation, such as through website privacy settings, and other emerging privacy enhancing technologies. The OPC has also committed to proactively addressing systemic or sector-wide problems related to online reputation, for instance, where vulnerable groups are concerned, and to encouraging research, development and adoption of new solutions for protecting online information, in part through its Contributions Program.
After consulting with stakeholders on the proposals outlined in its draft position paper, the OPC will finalize its position and develop an action plan to put the new measures into practice.
The British Columbia Court of Appeal has whipped the door open for the greater use of production orders requiring non-Canadian companies to provide user information. Here's the summary I prepared for my firm (also available here):
Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to produce any of its records has, to date, depended on the province in which police seek it. Some courts refuse an order where the company is wholly outside of Canada; some require an address in Canada for service to grant the order; and others grant the order, apparently unconcerned about the company’s Canadian “presence”. That could however change with the B.C. Court of Appeal’s January 9, 2018, decision in British Columbia (Attorney General) v. Brecknell. The Court’s decision that Craigslist is “present” in B.C. and can be subject to a Criminal Code production order issued from its provincial court might lead to greater national uniformity – and more exposure to foreign companies doing only virtual business in Canada:
The Legal Trend. The decision lines up with the Supreme Court of Canada’s increasing awareness of the Internet’s inherently global nature, willingness to take jurisdiction in cases that cross borders, and readiness to apply existing legal principles to online business – all as illustrated in the Court’s June 2017 decisions in Google Inc. v. Equustek Solutions Inc. and Douez v. Facebook, Inc. There’s every reason to believe this trend is here to stay – and foreign companies doing business in Canada, even if only virtually, should be prepared for the increased legal exposure it entails.
Broader Implications. The Court’s conclusion that the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference could carry implications far beyond the availability of production orders. Whether its reasoning vis-a-vis an internet-based company’s “presence” in Canada will have application to, for example, tax laws, remains to be seen.
More Production Orders & More Content. Non-Canadian companies will likely see more production orders from Canadian courts. Canadian courts will more willingly assume jurisdiction over companies where the only contacts with Canada are virtual (i.e. over the internet), and more readily available to police to obtain production orders against such companies – no matter where they are “physically” present. And this route is much preferred by police compared to proceeding under mutual legal assistance procedures. In addition to more Canadian production orders against internet companies, more of those orders will likely be for “content”, not just identifying information and metadata. And this decision will likely lead Canadian police to conclude that compliance is no longer a question of voluntariness: many internet companies “voluntarily” comply with Canadian orders for non-content data but require Mutual Legal Assistance Treaties (MLAT) processes for content such as email and other communications.
In 2016, the Royal Canadian Mounted Police (R.C.M.P.) applied to the B.C. Provincial Court for a production order requiring Craigslist to produce certain information about one of its users. In particular, R.C.M.P. sought the user’s name or physical address, its email address, the IP address assigned to the user when the post was created, the phone numbers used to verify the user account, the dates and times the post was created post and the record of the posting. The court refused on the basis Craigslist had only a “virtual presence in B.C.” The R.C.M.P. appealed and on January 9, 2018, the B.C. Court of Appeal agreed: Craigslist is “present” in the province of B.C. and police can obtain a production order naming it, even though it has no “physical” presence in Canada or an address in Canada to effect service:
Virtual Presence = Physical Presence. Under Canadian law, a Canadian court has jurisdiction where there is a “real and substantial connection” between Canada (or a Canadian province) and the activity in issue. There’s no “bright line” rule, but courts have consistently decided that actively doing business over the internet with residents of a particular Canadian province is enough to create that connection. This in turn gives the court jurisdiction over the specific subject matter and parties (a.k.a “in personam” jurisdiction), a proposition about which the Supreme Court of Canada most recently pronounced in its June 2017 decision in Google v. Equustek Solutions Inc. Here, the Court of Appeal interpreted the Criminal Code provisions as limiting courts’ ability to issue a production order “…only against a person in Canada”, making the question whether Craigslist – a U.S. company with no physical presence in Canada – is “a person in Canada” for this purpose. The Court concluded the distinction between a virtual-only presence and a “physical” presence is effectively a distinction without a difference (at para. 40):
“… [I]n the Internet era it is formalistic and artificial to draw a distinction between physical and virtual presence. Corporate persons … can exist in more than one place at the same time. … I do not think anything turns on whether the corporate person in the jurisdiction has a physical or only a virtual presence. To draw on and rely on such a distinction would defeat the purpose of the legislation and ignore the realities of modern day electronic commerce…”
The Test is Canadian Presence – not Canadian Possession. The Court was clear that the test for a production order is only the presence of the recipient – and not the information sought to be produced – in Canada. Once the Court of Appeal concluded Craigslist was “a person in Canada”, the test was met (at para. 39):
“In the first instance, the [Criminal Code] section, properly interpreted, stipulates only that the person subject to the order must be a person in the jurisdiction. In my view, Craigslist is such a person. Second, the person must be a person who has possession or control of a document. The section says nothing expressly about where that possession or control exists. Indeed, it may not even be sensible to pose the question in terms of the location of control. A person either does or does not have possession of a document. The question is one of control, not where the control is exercised. In this case, Craigslist has possession or control of the relevant records and the provision requires nothing further. In other words, there is nothing in the section that requires the person in the jurisdiction to be a custodian of the documents in the jurisdiction. In my view, it is sufficient that the person is present within the jurisdiction. I do not think that there is anything extraterritorial in such an interpretation. To conclude that Craigslist is a person within the jurisdiction who has possession or control of documents does not give the section an impermissibly extraterritorial interpretation.”
No Other Barriers. The Court of Appeal rejected the argument that a production order against a foreign company effectively intrudes into another country’s sovereignty, essentially deputizing a non-Canadian company to carry out a search in a foreign country that Canadian police could never carry out themselves. The Court concluded the weight of U.S. legal authority doesn’t treat subpoenas in this manner, noting it appears instead to recognize the U.S. validity of subpoenas directed to persons in the U.S. over whom there is personal jurisdiction to disclose documents in the U.S. even where they must be obtained from outside the U.S. The Court also considered – and rejected – the arguments that enforcement difficulties or the existence of Mutual Legal Assistance Treaties (MLAT) militate against the use of production orders in cases like this.