News

When Is Your Data in Plain View?

SCC splits on application of “plain view doctrine” to data search and seizure

In R. v. McGregor, the accused was a Canadian military member who had been posted to the Canadian Embassy in Washington, D.C. An investigation by the Canadian Forces National Investigation Service (“CFNIS”) turned up evidence that he had committed the offences of voyeurism and possession of a device for surreptitious interception of private communications, during the course of his employment. In cooperation with local police in Virginia, where McGregor lived, the CNFIS obtained a warrant to search his residence and electronic devices, and to analyze any devices that were seized. While executing the search, forensic investigators scanned the contents of some of the devices and discovered what appeared to be evidence of other offences, including a sexual assault. They seized the items and brought them back to Canada, and then obtained a warrant to further analyze the contents of these devices. At trial, McGregor argued that the search and seizure had breached s. 8 of the Charter, but both levels of court found that, if the Charter applied, s. 8 had been complied with.

For more details, please click here

What a SLAPP in the Face

Nurses’ anti-vaccination defamation action against online reporting dismissed under anti-SLAPP legislation

In Canadian Frontline Nurses v. Canadian Nurses Association, Justice Vermette of the Ontario Superior Court of Justice presided over an “anti-SLAPP motion” that arose from anti-vaccination protests in 2021. The plaintiffs were three former nurses and a not-for-profit organization (“CFN”) they had founded and/or were involved with. In September 2021 CFN organized 15 different “rallies/protests” that took place outside hospitals across Canada, at which various opinions were expressed regarding the effectiveness of COVID-19 vaccines, including that the “medical freedom” and “informed choice” of nurses and other health care workers was being infringed by mandatory vaccination policies. Various media coverage and public commentary ensued, including comments by: the defendant Canadian Nurses Association (CNA), a national advocacy organization for nurses; and the defendant Together News Inc. (TNI), a small regional media organization in British Columbia. Each of the defendants (along with other media outlets) published commentary that was critical of the CFN and the protests.

The plaintiffs brought an action for defamation, and the defendants responded with a motion under section 137.1(3) of Ontario’s Courts of Justice Act. These are usually referred to as “anti-SLAPP motions,” as the court explained:

• These provisions were enacted to mitigate the harmful effects of strategic lawsuits against public participation (also known as “SLAPPs”). SLAPPs are lawsuits initiated against individuals or organizations that speak out or take a position on an issue of public interest. They are generally initiated by plaintiffs who engage the court process and use litigation not as a direct tool to vindicate a bona fide claim, but as an indirect tool to limit the effectiveness of the opposing party’s speech and deter that party, or other potential interested parties, from participating in public affairs.

For more details, please click here

Investor relations firm failed to disclose requisite information in social media posts

The British Columbia Securities Commission found, in its decision of January 30, 2023, that an investor relations firm hired by five reporting issuers failed to disclosed clearly and conspicuously that materials disseminated via social media and otherwise were issued on behalf of the respective issuers. The obligation arises under s. 52(2) of the Securities Act of  British Columbia.

• 52(2)   A person engaged in investor relations activities, and an issuer or security holder on whose behalf investor relations activities are undertaken, must ensure that every record disseminated, as part of the investor relations activities, by the person engaged in those activities clearly and conspicuously discloses that the record is issued by or on behalf of the issuer or security holder.

For more details, please click here

Where sharing is unexpected or unobvious, consent needs to be explicitly obtained

On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings following its investigation into Home Depot of Canada Inc.’s compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC concluded that organizations can’t rely on implied consent obtained via a privacy policy for certain unexpected uses and disclosures of customer personal information, even where that information isn’t sensitive in nature.

The OPC’s investigation followed a complaint from a customer surprised to discover, upon a review of his Facebook account information, that Facebook had a record of many of his in-store purchases from Home Depot. In the course of the investigation, the retailer confirmed that when in-store customers chose to receive their receipt by email instead of or in addition to a paper receipt, it forwarded to Meta the customer’s hashed email address and in-store purchase details (for example, date and dollar amount of purchase, and general type of purchase) for analysis using Meta’s “Offline Conversions” tool. Meta would then match the hashed email address to determine if it had a Facebook account that corresponded to that email address. If the customer had a Facebook account, Meta would compare the customer’s offline purchase information to the retailer’s ads delivered to the customer by Meta to measure the effectiveness of those ads. If, for example, the customer had purchased goods in-store that had been previously advertised to the customer via Meta’s advertising tools, that would indicate the effectiveness of that particular ad. Meta would provide the results of that analysis back to the retailer in the form of an aggregated report, giving insight into the impact of its advertising on its customers’ ‘offline’ purchasing behavior. This report that was provided back to Home Depot would not identify any particular customers, but give broader insights into the general effectiveness of its online ads.

For more details please click here

Ontario Court of Appeal holds that accused had no standing to challenge search of vehicle he rented under a false name

In R. v. Dosanjh, the accused was convicted of first degree murder, arising from having shot the victim and escaped in a “getaway car” moments later. Among the evidence against him was data taken from the vehicle’s “infotainment system” that, among things, tracked the movement of the car. At trial the tracking data was admitted after the trial judge refused to exclude the evidence despite finding a breach of s. 8 of the Charter. On appeal, the accused argued that the trial judge had made various errors in this analysis, and the Crown countered with the argument that, since the accused had rented the car using a false name, the trial judge had erred in finding the accused even had standing to raise the s. 8 breach. The Court of Appeal agreed with the Crown, holding that the trial judge had erred in finding that the accused’s subjective expectation of privacy in the data was also objectively reasonable, and without this the accused had no standing to argue the breach.

For the Court Fairburn ACJO held:

[124]   Not all biographical core information is made equal. In relation to each set of data, the trial judge should have calibrated the degree to which the appellant’s biographical core of personal information was engaged. We are not talking here about medical records, private communications or the like, all of which presumptively contain a high degree of personal information. Rather, we are talking about information that rests further down the privacy line.

[125]   As for the contact list, it was not even the appellant’s contact list. While it may have held the appellant’s number and name, thereby connecting the appellant to Mr. Passi, there was nothing more that could have engaged the appellant’s privacy interest.

[126]   While I accept that GPS data stored in an Infotainment system can inform where a car was and, by implication, where the driver was during a specific period of time, it is really just a form of tracking data. To this end, it has been long established that tracking information “is a less intrusive means of surveillance than electronic audio or video surveillance”: R. v. Wise, [1992] 1 S.C.R. 527, at para. 48. The somewhat diminished privacy interest engaged by tracking data is reflected in the fact that, even where an individual has standing in relation to that data, the police can obtain a judicial authorization to have it produced on the lower standard of “reasonable grounds to suspect”: Criminal Code, ss. 487.017. As well, also engaging the lesser standard of suspicion, the police can obtain an authorization to install a tracking device on a vehicle and have that vehicle tracked in real time for lengthy periods: Criminal Code, s. 492.2(1).

[127]   Therefore, there exists both a jurisprudential and legislative recognition that, while tracking data may engage a biographical core of personal information, that data rests a good distance away from the more intimately personal end of the privacy spectrum. As part of the “totality of circumstances”, the trial judge should have considered these factors when calibrating the objective reasonableness of the appellant’s subjective privacy interest.

[128]   As well, the trial judge should have considered other factors informing the objective analysis. What is absent from his reasoning is how the appellant came to be in possession of the QX60 – which was relevant to an assessment of both the place where the search occurred and the appellant’s control over the subject matter.

[129]   It was the appellant’s burden to establish on a balance of probabilities that he had a reasonable expectation of privacy in the subject matter of the search. Although he did not have to demonstrate a proprietary interest in the vehicle, he had to establish something beyond a tenuous connection to it…. By holding himself out to the rental agency as Jaspinder Nagra – personating Jaspinder Nagra – the appellant came into fraudulent possession of the QX60, thereby rendering his connection to the vehicle tenuous at best. Not only was the appellant in unlawful possession of the QX60 when it was collecting and storing data on the Infotainment system, but he had no colour of right over the vehicle – no excuse for his possession. In short, he could neither use the car nor exclude others from it. 

[130]   In fact, and in the most minimalist of terms, he was a trespasser in the QX60 when it was collecting and storing the subject matter of the search: Simpson, at paras. 50-51; R. v. Caza, 2005 BCCA 318, 198 C.C.C. (3d) 273, at paras. 32-33. The fact that the appellant fraudulently accessed the place and his lack of control over the QX60 – without a colour of right – are relevant circumstances informing whether he could objectively expect privacy in the data generated by his use of the QX60.

[….]

[134]   The question is whether Canadians ought to have a reasonable expectation of privacy in GPS data and the contents of a friend’s contact list, all of which has been created and stored in a vehicle they have, in essence, stolen. The answer to this question does not depend on whether the information contains evidence of illegal activity.

[135]   The answer to this question is: “no”.

[136]   Although a person may reasonably expect that, barring prior judicial authorization, the tracking data produced by a car that they drive will be protected from state seizure, that expectation is not objectively reasonable here because the appellant had no right to possess or use the car that produced that data. In addition to other considerations, the appellant cannot plausibly assert that his dignity, integrity, or autonomy are at stake when his claim to privacy hinges on the very fraud that he committed to obtain that car in the first place: Chow, at para. 34.

[137]   I do not doubt that the appellant desired privacy and hoped for it; that is clear from his subterfuge in obtaining the car. The appellant hoped to avoid detection; he hoped that however the car was used, it could not be traced back to him. But that is a far cry from establishing a reasonable expectation that he was entitled to privacy: R. v. Van Duong, 2018 ONCA 115, at para. 7.

[138]   In all of these circumstances, including the nature of the subject matter, the place where the search occurred and the appellant’s lack of control over the subject matter, I conclude that the appellant did not have a reasonable expectation of privacy in the subject matter of the search.

American Bar Association publishes formal opinion providing caution regarding cc’ing clients on emails

On 2 November 2022 the American Bar Association’s Standing Committee on Ethics and Professional Responsibility (the “Committee”) issued its Formal Opinion No. 503, which deals with the use of “reply all” in email communications by lawyers. The opinion begins by noting the obligation on counsel not to communicate directly with represented parties without the consent of that party’s counsel (unless legal or ethical obligations require it), usually referred to as the “no contact rule.” It then observes that some disputes have arisen around situations where counsel for a party sends an email to an opposing lawyer and cc’s the client on the email. If the opposing lawyer responds to the email using “reply all,” has that lawyer breached the no contact rule? At the state regulatory level, the view had been expressed that the cc’ing of the client in the email did not necessarily mean that the sending lawyer was waiving the no contact rule, but that such waiver could be implied in some circumstances.

The Committee felt this situation was unsatisfactory, as it muddies the interpretation of the Rule, making it difficult for receiving counsel to discern the proper course of action or leaving room for disputes. It concluded that: “given the nature of the lawyer-initiated group electronic communication, a sending lawyer impliedly consents to receiving counsel’s “reply all” response that includes the sending lawyer’s client, subject to certain exceptions...” This was justified on a number of grounds. First, a lawyer who brings a client in on a physical meeting or conversation with an opposing lawyer is impliedly waiving the rule and it would be reasonable for the opposing lawyer to think so, and the same logic should apply here. The purpose of the no contact rule is to prevent the opposing lawyer from “overreaching or attempting to pry into confidential lawyer-client communications,” and the obligation is and should be on the sending lawyer to impose clarity on the situation and not undermine this purpose. It is fairer and more efficient to impose the burden on the sending lawyer, and resolving the issue is simpler for the sending lawyer.

The Committee did note that the presumption of consent was rebuttable, by “an express oral or written remark” indicating lack of consent. Also:

the presumption applies only to emails or similar group electronic communications, such as text messaging, which the lawyer initiates. It does not apply to other forms of communication, such as a traditional letter printed on paper and mailed. Implied consent relies on the circumstances, including the group nature and other norms of the electronic communications at issue. For paper communications, a different set of norms currently exists.

Amendments made to satisfy requirements CUSMA trade agreement 

A provision tucked into the Budget Implementation Act, 2022 amends the Copyright Act to give effect to terms of copyright protection, including the general term, from 50 to 70 years after the life of the author to give effect to one of Canada’s obligations under the Canada–United States–Mexico free trade agreement. The general term, contained in s. 6 of the Copyright Act will be replaced with the following:

Term of copyright

6 Except as otherwise expressly provided by this Act, the term for which copyright subsists is the life of the author, the remainder of the calendar year in which the author dies, and a period of 70 years following the end of that calendar year.

 Order in Council 2022-2019, published on November 17, 2022 has fixed December 30, 2022 as the date that these amendments go into effect. Notably, by virtue of the transitional provisions contained in s. 280, the change from a 50 to a 70 year term will not revive any copyrights that have expired before the coming-into-force date.

Revelations of the use of facial recognition and spyware by the RCMP results in a long list of recommendations and a call for accountability

The House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (also known as “ETHI”) has had a busy few months examining how Canadian police have been using or have considered using particularly intrusive technologies and techniques to advance their examined. In two separate studies and reports, the Committee examined the use of facial recognition and artificial intelligence technology (report) and the use of so-called on-device investigative tools (report), principally by the Royal Canadian Mounted Police. 

The review of the use of facial recognition by the Committee followed media reports and a Privacy Commissioner Investigation into the practices of Clearview AI. The company was actively crawling social media websites and ingesting billions of photos into its databases, analyzing them biometrically and then providing a service mainly to police agencies which it touted could identify a person or a suspect in any image. Initially the RCMP denied that it had used the company’s facial recognition services, but ultimately admitted they had trialed it. The Commissioner concluded that the images would have been harvested in contravention of Canadian law and that the RCMP should only use services where the underlying data had been lawfully compiled. 

Among its 19 recommendations, the Committee recommended tighter regulation of the use of the technology both in the public and the private sectors, that there be a moratorium imposed on the use of facial recognition by the police until a framework for review has been approved and that there be a much more transparent approach to the use of facial recognition and artificial intelligence in the public sector. Scrutiny by the Committee and the Privacy Commissioner are credited with prompting the RCMP to establish a “National Technology Onboarding Program” to review police use and adoption of new technology and investigative tools. 

The same Committee carried out a study of the police use of spyware as an investigative tool after documents tabled in Parliament disclosed that the RCMP had been using “on-device investigation tools” (or “ODITs”), akin to spyware, for some years. This coincided with media reporting on an Israeli cybersurveillance company, NSO Group, and their software called “Pegasus”, which has reportedly been widely used journalists, lawyers and politicians. 

In testimony before the Committee, the RCMP stated that ODITs provide law enforcement agencies with the capability to secretly collect private communications and other data that can no longer be obtained through conventional wiretap activities or other less intrusive investigation techniques. 

A range of witnesses commented on the fact that the use of ODITs relies on vulnerabilities existing in devices and operating systems that manufacturers are likely not aware of. If they exist on suspects’ devices, they exist on the devices of many others. As a result, they can be exploited by a range of actors, both foreign and domestic. The Privacy Commissioner confirmed that his office had not been consulted at any time regarding the use this invasive technology. 

The recommendations of this study closely parallel, thematically, the recommendations of the facial recognition study. They focus on increased accountability, increased scrutiny and increased transparency about the use of these tools. The Committee recommended a review of the provisions of Criminal Code related to the interception of private communications and the creation of an independent advisory body composed of relevant stakeholders from the legal community, government, police and national security, civil society, and relevant regulatory bodies to review new technologies used by law enforcement and to establish national standards for their use.

“Intrusion” privacy tort does not apply to third party hacking claims

Ontario CA determines that the defendant must be the party who did the intruding

The Ontario Court of Appeal, in considering a trilogy of cases together, has definitively determined that the privacy tort of “intrusion upon seclusion” does not apply to a defendant whose information systems were intruded by a malicious third party. The three cases were heard together with three sets of reasons issued: Winder v Marriott International, Inc., Obodo v Trans Union of Canada, Inc. and Owsianik v Equifax Canada Co.

In the landmark case of Jones v Tsige, the Ontario Court of Appeal had determined that the “Prosser privacy torts” exist in Ontario common law, including the tort of intrusion upon seclusion. Since then, numerous privacy class actions have been brought, many of which have pled this privacy tort. The question of whether this tort can be the basis of liability for a company that is itself a victim of a third party’s act has rested on the meaning of the word “reckless” in the articulation of the elements of the cause of action from Jones:

[71] The key features of this cause of action are, first, that the defendant's conduct must be intentional, within which I would include reckless; second, that the defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action. I return below to the question of damages, but state here that I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum. [emphasis added]

Plaintiffs in such data breach class actions have argued that the breaches are the result of the defendant’s recklessness, usually with respect to the handling or safeguarding of personal information. 

The most extensive reasons in the trilogy of cases were given by Justice Doherty in Owsianik. In all three cases, the question before the courts below was whether to certify the proposed class actions, which requires that there be a legally viable claim. The plaintiffs had experienced varied success in the courts below. 

In its analysis of the intrusion tort, the Court summarized the elements and explicitly categorized the conduct, state of mind and consequences requirements:

[54] The elements of the tort of intrusion upon seclusion are laid down in Jones, at para. 71. I would describe them as follows:

• the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];
• the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and
• a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the consequence requirement].

The plaintiff argued that the state of mind requirement was applicable to the defendant, Equifax in this case. The Court disagreed: The state of mind requirement applies to the “intruder”. 

[59] Ms. Owsianik’s submission misunderstands the relationship between the two elements of the tort. The first element, the conduct requirement, requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy. The prohibited state of mind, whether intention or recklessness, must exist when the defendant engages in the prohibited conduct. The state of mind must relate to the doing of the prohibited conduct. The defendant must either intend that the conduct which constitutes the intrusion will intrude upon the plaintiffs’ privacy, or the defendant must be reckless that the conduct will have that effect. If the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness with respect to the consequences of some other conduct, for example the storage of the information, cannot fix the defendant with liability for invading the plaintiffs’ privacy.

The Court noted that Equifax may be liable to the plaintiff on some other basis, but not as an intruder of the plaintiff’s privacy. 

[61] …. Equifax’s negligent storage of the information cannot in law amount to an invasion of, or an intrusion upon, the plaintiffs’ privacy interests in the information. Equifax’s recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs’ privacy committed by the independent third-party hacker. Equifax’s liability, if any, lies in its breach of a duty owed to the plaintiffs, or its breach of contractual or statutory obligations.

The plaintiffs argued that the tort of intrusion upon seclusion should be extended to clearly be applicable to the “Database Defendants”, otherwise the plaintiffs would be without a remedy in these circumstances. This was dismissed by the Court of Appeal:

[79] The plaintiffs’ “no remedy” argument really comes down to the assertion that because the remedies available in contract and negligence require proof of pecuniary loss, the plaintiffs who cannot prove pecuniary loss are left with no remedy. With respect, this is not what the court meant in Jones when it described the plaintiff as being without remedy. The plaintiffs here are in the same position as anyone else who advances the kind of claim the plaintiffs have advanced here. Because the claim sounds in negligence and contract, the plaintiffs must prove pecuniary loss. The plaintiffs’ position is miles away from the predicament faced by the plaintiff in Jones.

[80] While it cannot be said the plaintiffs are left without a remedy, it is true that the inability to claim moral damages may have a negative impact on the plaintiffs’ ability to certify the claim as a class proceeding. In my view, that procedural consequence does not constitute the absence of a remedy. Procedural advantages are not remedies.

The court finally noted, before dismissing the appeal, that if parliament or the provincial legislatures wanted to extend the law so far as to provide moral damages in cases like this, they are able to do so. 

We had a wonderful turnout at the 2022 CAN-TECH Law Fall conference November 2-3, 2022 at the Sheraton Centre Toronto Hotel.

Click here for the highlights:

https://cantechlaw.wildapricot.org/2022cantechlawfallconferencehightlights