Recent Updates from the Office of the Privacy Commissioner of Canada
Remarks to the Canadian Bar Association Privacy and Access Law South Section
November 14, 2011
Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada
(Check against delivery)
On behalf of the Privacy Commissioner of Canada, thank you for your kind invitation to speak to you today. I am delighted to be back in the west and to be joined here by our colleagues from the Saskatchewan Office of the Information and Privacy Commissioner.
I was asked to give a brief overview of recent operational,jurisprudential and legislative updates relevant to PIPEDA, as well as to introduce the “PIPEDA and Your Practice: A Privacy Handbook for Lawyers” which we launched last August at the National Canadian Bar Association Conference in Halifax.
Let me start with a brief overview of some operational trends at the OPC spurred by the Commissioner's overall vision and direction for PIPEDA.
Consistent with her vision since the very beginning, Commissioner Stoddart has worked hard to build up the Office's internal capacity to keep apace with the ever-changing nature of information technology and its impact on privacy. She has strongly encouraged ongoing training and recently created a Technology Analysis Branch to ensure the core capacity needed to support the work of all the other Operational Branches.
She has also articulated a clear objective of improving service to Canadians and has committed significant investment for this purpose. She has created a new Information Centre to respond promptly to Canadians' enquiries and concerns and a re-engineered investigation process to reduce the time delay between when a complaint is filed and the release of a Report of Findings.
She has worked to change the perception of the OPC as a bureaucratic, Ottawa-based federal regulator operating in a vacuum, by creating a new Toronto office to extend the scope of our outreach, facilitate discussions with the business community and better understand their needs and practical realities.
She has taken strides to promote a stronger sense of accountability among organizations. To this end, she will be creating a new category of findings as of January 2012 called "Well-Founded and Conditionally Resolved" and strengthening OPC capacity to follow up on organizations’ undertakings. This will help ensure that the recommendations agreed to are in fact implemented, and in appropriate cases, attested to by independent third party audits where the circumstances lend themselves to it.
True to her word, the Commissioner has also intensified her efforts to build cooperative relationships with her international counterparts. This with a view to more effectively getting at the core of the broad, systemic issues of truly global dimension and playing a leadership role in addressing those online privacy threats that know no borders, yet potentially impact all Canadians.
Trends in Investigations
As for trends in our investigations, let me give you an overview of some of the more significant ones worth noting:
In a year -to-year comparison, we are seeing a decline in the overall number of complaints filed. For example, the number of complaints the office received dropped by 10% from 2009 to 2010 (from 231 complaints down to 207 complaints) and has dropped a further 11% from 2010 to 2011 (from 207 down to 184 complaints filed as of October 24, 2011). This may be due in part to more intensified efforts invested up front to help resolve matters before they even become complaints.
While the number of data breaches voluntarily reported by organizations had decreased from 2008 through to 2010, there has been a significant increase since 2010. In fact, voluntary data breach reporting has increased by 27% from 2010 to 2011 (up from 44 incidents in 2010 to 56 in 2011 as of October 24, 2011) and the calendar is not over yet.
As the OPC moves forward and as Parliament looks to pass a mandatory breach notification scheme as part of the proposed PIPEDA amendments in the new Bill C-12, we expect this trend to continue.
Let me now turn to some recent developments in jurisprudence related to PIPEDA. In particular, we have seen noticeable developments in a recent string of damage cases brought before Federal Courts under PIPEDA.
Since early 2010, the Federal Court has moved towards establishing the beginnings of a matrix that can be used when damage awards are considered under PIPEDA.
In the first of these recent cases, R. v. Nubody's Fitness Centre, 2010 FC 681, the Court set the bar relatively high. This case involved disclosure by Nubody's Fitness to the applicant's employer about the number of times he and other employees were using the gym as part of the corporate sponsorship program. Although the Court agreed with the Privacy Commissioner of Canada that disclosure occurred without consent and in violation of PIPEDA, the Court did not award damages in this case. The Court ruled that damages under PIPEDA were not to be awarded lightly, but only in the most egregious of cases. Mosley J. was of the view that "the impugned disclosure of personal information was minimal and that there had been no injury to the applicant justifying an award of damages" (para. 49). Justice Mosley further stated that even if a minimal injury had occurred (which he did not accept), the respondent did not behave in a "flagrant and callous manner"; it did not act "in bad faith" or in a "high-handed" manner (paras. 53 & 57).
In S. v. SNF Maritime Metal, 2010 FC 1137, the Court found that the breach in question, like in Nubody’s, was at the low end of sensitivity of personal information. This Case involved disclosure by SNF to the applicant's employer about personal accounts the applicant opened in his own name to sell scrap metal, some of which belonged to his employer, yet the applicant was crediting to himself and getting paid for. Eventually, this scheme resulted in termination for cause. The Court found that the real nature of the applicant’s complaint was at its source, a termination of employment matter, not a privacy matter, and refused to award damages under PIPEDA as an end-run around the existing rights to damages.
It wasn't until the third case, N. v. Transunion of Canada Inc., 2010 FC 1284, that the Court found that damages were justified in the circumstances given the egregiousness of the breach in question. In that case, Zinn J. found that Transunion failed to collect accurate credit information about the applicant and disseminated inaccurate financial information about him to Royal Bank of Canada. Even when apprised of its error, Transunion failed to address the situation quickly and effectively or even take responsibility for its error. "Although the dissemination of false credit information is not a strip search, it does lay bare to those receiving the information the creditworthiness of a person… and can be equally intrusive, embarrassing and humiliating…” (para. 79). Applying the Supreme Court of Canada’s reasoning in Vancouver (City) v Ward, 2010 SCC 27, which recognized deterrence and vindication as general objects of the Charter that could justify an award of damages even where no physical or personal loss had been demonstrated, the Court held that the same could be said about the objects of PIPEDA and proceeded to award the applicant $5000 in damages, plus $1000 in costs.
In the more recent case of L. v. Royal Bank of Canada, 2011 FC 687, released this summer, the Federal Court cited Transunion, and recalled the requirement that damages only be awarded in the most egregious of cases. This case involved a bank employee who in responding to a subpeona released personal information about the applicant to her ex-spouse's lawyer directly instead of following company policy which requires prior consent or, in the absence of consent, requires disclosure to be made only in court to the judge. Perhaps most interestingly, the judge recognized that the applicant was partially at fault for attempting to conceal under oath the existence of her personal bank accounts, but nevertheless awarded the applicant $4500 in damages for the humiliation she had suffered as a result of what the court considered a “serious breach” by the bank employee (para. 32). Accordingly, despite the applicant’s somewhat “unclean hands”, damages were nevertheless considered appropriate in this case.
In the most recent case of G. v. Zarek Taylor Grossman Hanrahan LLP, 2011 FC 1070, the Court’s reasoning remained much the same. This case involved the improper posting by a law firm of a letter of findings by the Privacy Commissioner that contained the applicant’s name but without the applicant’s consent. The law firm had received copy of the letter of findings in its capacity as representative of the organization against which the applicant had originally filed a complaint. The law firm reacted immediately by taking down the posting within two hours of the breach having been brought to the senior partner’s attention. Finding that the breach in question fit somewhere between the egregiousness of Transunion and the low-end breach in Nubody's Fitness, the Court awarded $1500 in damages.
The OPC will be watching this emerging trend closely as it continues to develop.
As many of you know, the federal government recently passed Canada’s Anti-Spam Law (CASL) that aims to deter unwanted electronic communications by regulating the sending of commercial electronic messages, including e-mails and text messages. Among other things, senders will have to obtain consent before such messages may be sent.
CASL also seeks to curb other harmful practices such as electronic address harvesting and secretly installing malware (malicious software) on computers.
Once CASL comes into full effect, the Office of the Privacy Commissioner will share responsibilities for enforcing it with the Canadian Radio-television and Telecommunications Commission (CRTC) and the federal Competition Bureau.
The comment period for draft regulations closed on September 7th. The CRTC and Industry Canada are currently in the process of analyzing comments received and considering whether changes to the proposed regulations are needed.
I should also note two unrelated PIPEDA amendments that may be of interest to many of you. These amendments were introduced as part of CASL but are of general application to all PIPEDA complaints. Unlike the other provisions of CASL, these PIPEDA amendments are currently in force.
First, CASL amended PIPEDA to allow the Commissioner to exchange information with her foreign and provincial counterparts where she believes it would be relevant to an ongoing or potential investigation. This will permit the Commissioner to more effectively tackle privacy issues of truly global dimension.
Second, CASL has also amended PIPEDA to give the Commissioner the ability to decline to investigate or to discontinue an investigation in specific circumstances. This new discretion will allow the Commissioner to focus her efforts and resources on complaints of broad, systemic nature that pose privacy risks for all Canadians.
With the Federal election in May of this year, Bill C-29 that sought to amend PIPEDA pursuant to its first statutory review died on the order paper. The Bill, known as the Safeguarding Canadians' Personal Information Act, was recently reintroduced as Bill C-12 in virtually identical form.
If passed, the bill will amend PIPEDA and require organizations to inform the Commissioner of “any material breach of security safeguards involving personal information.” Factors to consider in determining whether a breach is material include the sensitivity of the personal information, the number of individuals affected and the systemic nature of the breach.
The bill would also require businesses to inform individuals of “any breach of security safeguards… if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Factors that go to determining whether there is “reasonable risk of significant harm” include the sensitivity of the personal information and the probability that it was, is being, or will be misused.
We are pleased that Bill C-12 has reintroduced mandatory breach notification, and in particular, the Commissioner is on record as saying that she supports a regime that will enhance accountability and transparency of organizations' personal information management practices. Prompt notification will help us and Canadians themselves adequately respond in real time to protect their personal data from threats of compromise.
In an effort to better define “lawful authority”, a term many agree is nebulous in the current Act, the Bill proposes a definition which is formulated in the negative, by defining what lawful authority is not. C-12 states that lawful authority is something “other than a subpoena, warrant or order issued or made by a court, person or body with the jurisdiction to compel the production of information”, or “rules of the court relating to the production of records”. Together with the related proposed amendment absolving the organization disclosing the information from having to verify the validity of the lawful authority, and the broad permissible disclosure for the purpose of “performing policing services”, several commentators have suggested that this attempt to clarify lawful authority makes things in fact more vague than is currently the case.
I cannot say what the Commissioner’s position on these proposed C-12 amendments will be in advance of her appearance before Parliament, but she is on public record, as recently as last week, saying that she and her provincial and territorial counterparts are seriously worried about other potential “lawful access” legislation that may be around the pike (previously Bills C-50, 51 and 52 which many expect will be reintroduced in Parliament in some form). Commissioner Stoddart has written to the Minister of Public Safety, Vic Toews, outlining her concerns about an expanded surveillance regime by the state that would allow the state to track, search and seize personal information held by commercial enterprises, without the appropriate judicial scrutiny. She called on the government to demonstrate why such vast new powers are necessary, and to find less privacy-invasive alternatives that would not have such serious repercussions on privacy rights in Canada – “privacy rights that underpin our democratic freedoms and allow us to exercise these freedoms openly, without fear, mistrust or censorship”. For those interested, you will find the Commissioner’s open letter to Minister Toews dated October 26, 2011 on our website: http://www.priv.gc.ca/media/nr-c/2011/let_111027_e.cfm#contenttop
PIPEDA and Your Practice: A Privacy Handbook for Lawyers
As part of our Office’s education and public outreach efforts, we recently launched “PIPEDA and Your Practice: A Privacy Handbook for Lawyers”. The objective of this guide is to offer lawyers practical guidance to better protect personal information of their clients, employees and third parties.
The “PIPEDA and Your Practice” Handbook is intended primarily for lawyers in private practice and some corporate counsel – both in the course of managing their practice and/or in the context of civil litigation.
It is meant as a guide to assist lawyers in identifying and complying with PIPEDA requirements, which may complement their already existing professional obligations of confidentiality.
While it is true that lawyers are the staunchest defenders of solicitor-client privilege that does not necessarily make them privacy-saavy. Confidentiality, which is engraved in all of us from the time we are sworn in, inheres in the very nature of the lawyer-client relationship and imposes on us the obligation to keep client secrets. Privacy, on the other hand, is the right of individuals (whether clients or non-clients, within or outside the solicitor-client relationship) to control for themselves what can or cannot be done with their personal information.
This handbook seeks to reinforce lawyers' obligations to respect individuals' right to privacy and to protect personal information in their custody as must any other good steward conducting commercial activity.
Rather than get into the details of the handbook, my hope is that you will retain at least these two key messages:
- As many good lawyers are trained to do, we are likely to gravitate quickly into a discussion about whether PIPEDA, or other substantially similar provincial privacy legislation, applies or not to lawyers in certain situations depending on the circumstances, etc. While that is an important discussion to have – particularly if and when a privacy challenge arises – our message is intended to remain above the fray, in abstract of what can become rather protracted jurisdictional debates about which, if any, privacy law applies. Rather, our hope is for the legal community to remain open to a genuine conversation about Privacy best practices inspired by the spirit of PIPEDA, what makes good business sense, and the importance of building sustainable client relationships based on trust. Personal data has become the new currency of a digital economy and as Craig Newmark, the founder of Craigslist says “Trust is the new black”. It is the new bottom line indicator in the marketplace that will separate the successful enterprises from the others.
- The second key message related to the Handbook is one of opportunity – leadership opportunity for lawyers, as members in good standing of the Bar, to serve as exemplar models of ethical and respectful conduct. You have the privilege and the opportunity to lead by example and to encourage others, whether the colleagues you work with or the clients you advise, to do the same. You have the capacity to influence systemic change. For those of you at the CBA Annual Conference in Halifax this past summer, you will recall the Governor General’s opening remarks calling on all of us to espouse ethics as our third pillar of professional responsibilities, together with knowledge and practice. Well, privacy protection is, in a very real sense, a matter of ethics. It forms part of our obligations towards the profession, the public and the clients whom we serve. And that is the spirit in which we developed this handbook for lawyers.
As though intending to echo these same messages, Justice Mosley issued a decision directly on point shortly after the publication of the Handbook. In the matter of G. vs. Grossman, I mentioned earlier, Mosley J. had this to say:
“Law firms providing advice to clients who deal with the personal information of their customers must be knowledgeable about privacy law and the risks of disclosure. Lawyers also have a public duty to protect the integrity of the legal process. The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matters.”
G. v. Zarek Taylor Grossman Hanrahan LLP,
2011 FC 1070 at para. 53
It is hoped that the Privacy Handbook for Lawyers will provide you with the practical tips you need to serve as exemplar leaders in promoting the protection of privacy.
Thank you, and I look forward to your questions.