Quebec introduced sweeping changes to its privacy regime, making it the most consumer-friendly privacy law in Canada by giving individuals much greater control over their privacy while compelling private and public sector organizations to implement onerous prescriptive obligations that will be challenging to fulfil within two years, according to privacy experts.
The major overhaul, heavily influenced by the 2018 European Union’s General Data Protection Regulation (GDPR), introduces new privacy rights such as data portability rights and the right to be forgotten, new accountability and governance requisites, and new rules for the outsourcing and transfer of information outside Quebec. It also institutes new mandatory breach notification requirements, mandatory privacy impact assessments, clarifies consent requirements for collection, use or release of personal information, and significantly raises potential fines for violations.
An ambitious proposed overhaul of Quebec’s privacy law would make the provincial privacy watchdog the first Canadian privacy regulator with powers to directly impose administrative monetary penalties organizations for non-compliance.
The report notes that nearly one in five organizations fail to make the GDPR a top priority, 31 per cent feel that the sole purpose of their program is to comply with the mandate by the deadline, and only 28 per cent see the GDPR as an opportunity to gain consumer trust and competitive advantage, in addition to being a compliance mandate. Moreover, it reveals that 51 per cent of organizations are either lagging or feel they will be only partially compliant by the deadline.
The report underscores that there is a “significant perception gap” between organizations and consumers around consumer data privacy and security performance. A staggering 80 per cent of executives believe that consumers trust their organization with the privacy and security of personal data. Consumers have a different take: only 52% of consumers agree with executives.
“This overconfidence can blind organizations to the improvements they need to make in data practices and prevent sufficient investment,” said the report. “Such organizations will eventually lose out as consumers increasingly demand a best in-class data protection experience.”
The global tech consultant leader strongly argues that GDPR is in fact a new opportunity waiting to be tapped but only for “organizations that get it right.” Besides enhancing employee loyalty, it maintains that consumers are “more willing to engage with organizations that protect data.”
When consumers are convinced that an organization is protecting their personal data in line with the GDPR mandate, nearly half would share their positive experiences with friends and family. Just as importantly, more than one in three consumers (39 per cent) will spend more with an organization when convinced that the organization protects their personal data.
More ominously, over 70 per cent of consumers said they are prepared to decrease spend and stop doing business with organizations in breach of GDPR compliance. In addition, 64 per cent of consumers said they are likely to request non-EU companies to delete their data if they find organizations non-compliant once the GDPR comes into effect.
You can still download the application if you want. But if you believe what Kyle Zak has to say about it, it’s not something you would do. Not unless you don’t mind the trade-off between ease-of-use and the reams of information you will allegedly provide to the popular audio maker Bose Corp.
The lawsuit filed by Zak against Bose is the latest to allege companies of surreptitiously tracking consumers, without their consent, to collect data and then to either solicit more business or sell it to third parties. Early this year Ottawa-based sex toy maker We-Vibe settled a privacy lawsuit for $5 million after a line of its vibrators were found to have secretly collected and transmitted “highly sensitive information” about consumers without their knowledge or consent. In February 2017, Vizio Inc., one of the world’s largest television maker manufacturers and sellers of internet-connected “smart” televisions, agreed to pay US$2.2 million to settle charges by the Federal Trade Commission that it installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent.
The proposed class action against Bose alleges that the popular Boston-based audio manufacturer secretly collected, transmitted and disclosed its customers’ private music and audio selection to third parties, including a data mining company, Segment.io. The suit seeks an injunction to stop and prohibit Bose’s “wholesale disregard for consumer privacy rights” who download the companion app. Zak is also seeking millions of dollars in damages for consumers who purchased Bose’s wireless headphones and speakers.
“I have Bose headphones, and I love them,” said Ann Cavoukian, former Ontario privacy commissioner. “But if this proves to be true, I will be throwing them out. I will not tolerate this kind of activity that is taking place without the consent of the users.”
Introduced in 2016, the app, called Connect, allows customers to remotely control their Bose wireless products, and ostensibly makes it easier to pair different music sources such as an iPhone with Bose speakers and headphones. The proprietary software allegedly is programmed to continuously record in real time the music and audio tracks played through Bose wireless products.
“The music and audio tracks that people listen to reveal sensitive information about themselves,” alleges the suit in Kyle Zak v. Bose Corp. Case No. 17-cv-2918. “In other words, knowing what music, radio broadcasts, lectures, and podcasts a person chooses to listen to is enough to make accurate judgments and predictions about their personalities and behaviors.”
Bose disputes the allegations. “We’ll fight the inflammatory, misleading allegations made against us through the legal system,” said Bose in its website on April 20th. Three days later, Bose stated that
“You’ll find that the Connect App collects standard things to make your experience, and our products, better — like device information, app performance, and app and product usage. That includes information about songs playing on the device, the volume they’re played at and other usage data.”
On April 25th, Bose underlined that its Connect app “will be updated” so that consumers can opt out of having it collect data. “Any information collected before the opt-out is available will be altered, so it can’t be linked to you or your device by anyone,” added Bose. On May 3rd, the Connect app was updated.
The Office of the Privacy Commissioner of Canada (OPC) is not investigating the matter. If the Office receives a complaint, then it could launch an investigation, said Tobi Cohen, a spokesperson with the OPC.
However, the OPC launched an investigation in 2015 into a similar matter involving Bell Canada. While the case is not about a company “directly selling people’s information, it is an example of monetizing personal data,” noted Cohen
In August 2013 Bell caused an uproar after it announced that it would use customers’ network usage and account information to enable the serving of targeted advertisements. Bell intended to track the Internet browsing habits of customers, along with their app usage, TV viewing and calling patterns. By combining the information with demographic and account data already collected from customers, and creating highly detailed profiles, that enabled third parties to deliver targeted ads to Bell’s customers for a fee. The program involved combining customer information from several Bell affiliates offering a range of mobile, home phone, Internet and TV services. The OPC concluded that “Bell was not, via its opt-out model, obtaining adequate consent” for its “Relevant Advertising Program.” After the release of the OPC’s report, Bell decided to withdraw its program, stated that it would delete all existing customer profiles related to the program, and said that if it launches a similar program in the future, it would do so using express opt-in consent.
The crux of the problem is that companies and consumers and privacy commissioners do not see eye-to-eye over what constitutes personal information. Privacy policies shed a bit of light over what companies deem to be personal information. But as Pam Dixon, the executive director of the World Privacy Forum, noted recently, the definition of “personally identifiable” is usually up to the company.
“It should not be up to companies to determine what is personally identifiable,” said Cavoukian. “Personally identifiable information means any information linked directly or indirectly with personal identifiers that identify you. So we’re not just talking about names and addresses. There could be indirect linkages that when connected with some other information point to you.”
But data has become an extremely valuable commodity. When a subsidiary of the gambling group Caesars Entertainment filed for bankruptcy in 2015, its most valuable asset was considered to be the data it held on its 45 million customers who joined its customer-loyalty program. It was evaluated at $1 billion. Another example is Uber. Its worth is estimated at $68 billion, in part because of the data it has on drivers and passengers for personal transportation. Even Bell acknowledged the value of data. “Bell asserts that by providing targeted (and thus more relevant) ads to users and more powerful and effective functionality to advertisers, it can improve its customers’ overall online experience, better compete in a global online advertising market with strong international advertising players, and ultimately generate greater advertising revenue,” according to the OPC’s report.
The tension over privacy between companies and consumers is not likely to fade. Consumers will likely continue to be caught between a rock and a hard place. The terms and conditions outlined by privacy policies are impenetrable. On top of that, consumers often no choice to accept them if they want to use the app they have downloaded.
But consumers, at least in Europe, will have another weapon at their disposal to keep companies in line, said Cavoukian. As of May 2018, the European Union’s General Data Protection Regulation (GDPR) strengthens people’s control over their data as it requires companies to get explicit consent for how they use data. Fines for breaches under GDPR will be stiff – up to four per cent of global revenues or US$22 million.
That is an example that should be followed in North America, said Cavoukian. While unlikely, companies nevertheless doing business in Europe will have to pay attention. “You are going to see a lot of action next year on the heels of the GDPR,” said Cavoukian. “You are going to see changes because people are getting increasingly concerned about their privacy, and governments are responding.”
A month after the parent company of the controversial adult dating website Ashley Madison settled a complaint with the U.S. Federal Trade Commission and state charges over the 2015 data breach that exposed the personal data of more than 36 million users and highlighted the site’s unfair and deceptive practices, the firm is now trying to thwart 20 class actions against it by invoking online arbitration agreements the plaintiffs signed when they subscribed to its matchmaking services.
Just before the Christmas holidays, Toronto-based Avid Life Media Inc. (ALM) agreed to pay US$1.6 million and implement a comprehensive data-security program, including third-party assessments, to settle claims by the FTC who worked in collaboration with 13 U.S. states. According to the FTC complaint, until August 2014, operators of the site “lured” customers, including 19 million Americans, with fake profiles of women designed to convert them into paid members.
ALM, now known as ruby Corp., still faces a slew of class actions stemming from the data breach, and in a move to dismiss the claims, it is arguing that that plaintiffs agreed to an arbitration clause and a class action waiver when they signed up. Plaintiffs attorney counter that the arbitration provision is “buried after pages of legalese.” (Over the past decade thousands of U.S. businesses have used arbitration “to create an alternative system of justice” that tends to favour businesses, according to an investigation by the New York Times).
Closer to home, Canada’s privacy watchdog says that more enforcement powers would have been “useful” to deal with the numerous privacy violations committed by ALM.
A joint year-long probe by Canadian and Australian privacy commissioners, launched after the massive data breach, found that ALM had inadequate or nonexistent security safeguards and policies while marketing itself as a discreet and secure way for consenting adults to have affairs. The company even went so far as to use fictitious security trustmarks on Ashley Madison’s homepage to reassure users and convey the impression that that the website had a high level of security and discretion.
Under a compliance agreement with the Office of the Privacy Commissioner of Canada (OPC) and an enforceable undertaking with the Office of the Australian Information Commissioner (OAIC), the company agreed to conduct a comprehensive review of its information security systems, strengthen its security framework, document its efforts, ensure adequate training of staff, and provide a report from an independent third party documenting the measures it has taken to come into compliance.
“Theoretically this is the kind of case where additional enforcement powers would have been useful,” said federal Privacy Commissioner Daniel Therrien. “It’s not that in the absence of these powers we do not have influence. But other jurisdictions in the U.S. and Europe have order-making powers and can impose fines so clearly the question whether the OPC should have these powers arises.”
Ann Cavoukian, a three-term Ontario privacy commissioner, is in favour of granting the federal privacy commissioner with more enforcement powers. “When I was Commissioner I felt so grateful and fortunate that I had order-making powers because that gave me the stick I never had to use,” said Cavoukian, the executive director of the Privacy and Big Data Institute at Ryerson University. “Having the stick allowed me to get an organization to agree to things informally because they knew I could pursue this in a much more serious manner.”
But while Ottawa privacy lawyer Kris Klein too bemoans the fact that the OPC does not have powers that have “bite,” he commends the federal privacy watchdog for using the high profile case as a springboard to serve a strong reminder to business and organizations that they must put in place safeguards that take into account the sensitivity and amount of information that they collect and use. The comprehensive report, unlike the vast majority of reports penned by the OPC, also provides solid guidance that will help privacy lawyers, added Klein. “The report is extremely helpful as it helps privacy practitioners better understand what the privacy commissioner expects in terms of information security standards,” said Klein of Nnovation LLP. “So going forward I’ve got a lot more concrete things to point to when I’m advising clients as to what should and shouldn’t be done from a security perspective when it comes to dealing with personal information.” That is a harbinger of things to come, said Therrien. “One of my objectives is to increase the privacy of Canadians and to give practical guidance to companies as we have done here,” added Therrien.
Privacy experts are however concerned that many organizations will not pay heed to the findings and guidance yielded by the report because they don’t manage personal information as sensitive as the one collected and used by Ashley Madison. That would be a mistake, said Cavoukian. “Many companies obviously won’t be exactly in the same situation in terms of the sensitivity of the data collected in this site but in this day and age of cybersecurity attacks that occur almost on a daily basis, if you are dealing with any personal information, meaning any data that contains personal identifiers either directly or indirectly, security has to be top of mind,” said Cavoukian.
The report was “careful to point out” that a data breach or a security compromise does not necessarily mean that an organization failed to establish adequate safeguards under PIPEDA, noted Klein. In order to determine whether a PIPEDA contravention took place, the OPC will perform a contextual analysis that will examine whether the safeguards in place at the time of the data breach were “sufficient” given the sensitivity of the information. That is a finding that will reassure organizations, particularly American ones, as many are wary of having to deal with a regulator when a data breach occurs, “particularly in situations where they feel they have been victimized,” said Klein.
Organizations should also be aware that the OPC’s definition of harm is broad, extending beyond financial loss to individuals due to fraud or identify theft, said Fazila Nurani, a privacy and information management lawyer. The OPC also takes into account subjective types of harm such as reputational harm as it could potentially have a profound impact on an individual’s ability to access and maintain employment, relationships or even safety depending on the information, said the report. “This is such an important point,” noted Nurani. “The courts have started to recognize that privacy is a right in and of itself regardless of whether you have been financially impacted or not – and the regulator in this case is on the same wavelength.”
Retention policies were also examined by the OPC in the report. ALM’s practice was to keep all information contained in inactive or deactivated profiles indefinitely in case an individual wished to reactivate their profile in the future, despite the fact that 99.9 per cent of people who did reactivate their account did so within 29 days of deactivation. The OPC makes it clear that retention policies should be based on a “demonstrable rationale” and timeline. “A lot of organizations just don’t put enough time into developing retention policies,” remarked Nurani. “They just keep the information indefinitely on an electronic system so the guidance about retention is a really big takeaway for business.”
But perhaps the most important lesson that can be drawn from the Ashley Madison case is the importance of adopting clear and appropriate processes, procedures and systems to handle information security risks, supported by internal or external expertise, said Therrien. Organizations whose business model rely on vast amounts of personal information should “think hard” about what kind of information it collects, assess the risks it poses – and plan accordingly, said Therrien. Documenting security policies and procedures is key as it provides clarity around security-related expectations for staff as is conducting regular and documented risk assessments, added Therrien.
“To be systematic about it means that you’re more likely to take effective measures to reduce the risk of a privacy breach,” said Therrien. “If you are not systematic then things will fall through the cracks, and you will be more at risk of these privacy breaches. Hopefully people will listen because clearly this is not (an) isolated (case).”
Quebec, once a pioneer that lead the movement towards greater government transparency, is now among the least transparent provinces in Canada after successive provincial governments introduced more than 150 legislative exemptions that undermined the province’s access to information legislation, according to a recently published comprehensive report by Quebec’s Commission d’accès à l’information.
With Quebec ranking 10th out of 14 jurisdictions in Canada, and 57th in the world, behind Honduras and Romania, the Quebec government should overhaul the provincial access to information legislation to compel all public bodies, even those partially financed by the provincial government, to be subjected to the access to information law, noted the 214-page, five-year report that issued 67 recommendations. The Commission, which also oversees provincial privacy legislation, also called on the Quebec government to beef up privacy protection measures.
“The access to information law has not been the subject of a thorough reform in 35 years, and the privacy legislation in 22 years,” remarked Diane Poitras, the Commission’s vice-president. “It’s time to re-establish the balance between the rights of citizens — who are calling for greater transparency and stronger privacy protection measures — and the needs of business and government organizations to collect and use” — and in some cases safeguard — information.
The Quebec government last year published a 191-page discussion paper that pledged to curb the culture of secrecy that is seemingly well-entrenched within the public sphere by relaxing restrictions and vowing to taking a proactive approach towards releasing information. But the Commission said the government’s proposals do not go far enough to close the loopholes that currently exist and nor does it introduce measures to strengthen the province’s privacy legislation, both of which should be “modernized” simultaneously to ensure the harmonization of rules and concepts, said the report.
The paramountcy of public interest should be at the heart of reforms to access to information legislation, asserts the Commission. Access to documents in the hands of public bodies should be the rule rather than the exception, something that is not the case. Legislative exemptions are often scripted in very broad terms, noted Poitras. In many cases exemptions allow a public body to deny access to a document simply because it corresponds to a certain category of information. In other cases, a public body can reject a request for a government report if the report is less than 10 years old. In yet others, the decision rests in the hands of civil servants who do not have to provide any justification for their refusal.
“Little by little, stroke by stroke, law after law there were exemptions that were added, and faced with these restrictions judges took a conservative approach and themselves added yet more restrictions,” said Vincent Gautrais, a Université de Montréal law professor and chair holder of the L.R. Wilson Chair in Information Technology and E-Commerce Law. “Even interpretations by the Commission’s administrative adjudicators at times added to the restrictive jurisprudence.”
The Commission’s report recommends that public bodies should only be allowed to refuse access to information requests only if there is a “real” risk of harm. “Why should a report that contains advice or recommendations be in itself confidential,” asked rhetorically Poitras. “One must evaluate the context and possible consequences of divulging the information to decide whether or not it should be accessible.”
The Commission also “invites” the provincial government to close loopholes now in existence that grant professional corporations “quasi absolute” discretion to decide what documents it can release. And it urges the government to clarify access to information provisions surrounding professional secrecy because a growing number of public bodies are invoking professional secrecy to deny access to documents prepared by professionals covered by Quebec’s Professional Code. Though all Quebec professionals subjected to the Code can invoke professional secrecy, the report believes that professional secrecy should be summoned only in exceptional circumstances when refusing access to information.
On the privacy front, the Commission recommends following in the footsteps of the federal government and make it a mandatory requirement for organizations to give notice to affected individuals and the Commission when a data breach takes place. (The federal Digital Privacy Actreceived royal assent more than a year ago but is still not in force because the federal government has to complete the drafting of data breach notifications and reporting regulations). The Commission is also calling on the provincial government to bolster consentment requirements around the collection, use or disclosure of personal information by including the notion of “sensitive” information.
All in all, the Commission’s 67 recommendations fall broadly into three distinct categories, remarked Loïc Berdnikoff, an access to information and privacy expert with Montreal law firm Lavery, de Billy. Some of the recommendations essentially seek to legislate certain rules that were developed over the years by jurisprudence to “eliminate any ambiguities,” other recommendations such as data breach notifications strive for a “certain homogeneity” with Canadian jurisdictions, and yet others will impose new obligations on public and private organizations alike, said Berdnikoff. “The report seeks to address some of the difficulties the Commission has faced over the past few years or expects to face in the future,” said Berdnikoff. “The Commission is hoping for greater transparency within public bodies while providing greater protection around the collection and use of personal information. Obviously this was a very strong statement by the Commission that something needs to be done, and it’s not just a general statement. They have been able to identify at least 67 problems.”
Gautrais believes that the Commission’s recommendations are far too fussy and not nearly as ambitious and bold as they should have been. He also warns that careful thought should be given to a legislative overhaul as legislators, albeit with good intentions, end up creating more problems than solving them when trying to address issues sparked by new technologies.
“What the Commission is doing with this very long report is patch things up,” said Gautrais. “Almost all of the recommendations are centred on details. But judges on the whole already do a good job of adapting changes into current legislation. Each time legislators decide that because there are new technologies the legislation should be changed, there are new difficulties and challenges. As a general rule, jurisprudence does a relatively good job of adapting to new realities.”
This story was originally published in The Lawyers Weekly.
The consent model, the cornerstone behind the federal legislation that governs how private sector organizations may collect, use or disclose personal information in the course of commercial activities, is under the microscope after the Office of the Privacy Commissioner of Canada (OPC) published a consultation paper that examines its viability in today’s digital information ecosystem.
The mind-boggling pace of technological advances and the advent of cloud computing, big data analytics and the Internet of Things (IoT) has spurred the collection of such unprecedented amounts of personal information — often shared among invisible players — that it has placed the consent model under strain. Against this backdrop, business find it increasingly challenging to fulfil their privacy obligations under Personal Information Protection and Electronic Documents Act (PIPEDA) while individuals face the impossible task figuring out what organizations are processing their data and for what purposes, noted the OPC’s discussion paper. That has prompted some to advocate the easing of consent requirements around the collection of personal information while others argue for measures to strengthen it.
“There is concern that technology and business models have changed significantly since PIPEDA was drafted as to affect personal information protections and to call into question the feasibility of obtaining meaningful consent,” observed the OPC’s discussion paper entitled Consent and Privacy. The discussion paper, which sought comments until the end of July, explores different options to enhance consent under PIPEDA.
But privacy experts are skeptical that the consultation will lead to any tangible actions in the future. They point to the Digital Privacy Act, which received royal assent more than a year ago, yet is still not in force because the federal government has yet to complete the drafting of data breach notification and reporting regulations. “I know that some people are hopeful that it will result in more meaningful change down the road, and maybe these are the beginning steps that will result in that but I am not going to hold my breath,” said Kris Klein, an Ottawa-based privacy lawyer who is the managing director of the International Association of Privacy Professionals (IAPP) Canada. “Things in the privacy world in Canada seem to move at a snail’s pace. Canada is falling behind.”
The consent model was forged at a time when transactions had “clearly defined moments” in which information was exchanged, points out the discussion paper. Transactions, be it an individual doing business with a financial institution or making an insurance claim, were often routine, predictable, transparent and for a limited purpose. Individuals knew the identity of the organizations they were dealing with and how the information was collected and used.
That is no longer the case, particularly since the emergence of big data and the IoT. Through the use of complex algorithms, big data analyzes enormous data sets to reveal patterns, trends and associations to solve problems and generate value. Its ability to draw correlations between individual pieces of data can also pose risks that personal data will be used in ways that individuals did not consent to nor would have ever “reasonably expected to consent” to at the time the information was collected, said the discussion paper. IoT, while still in its infancy, is a development that allows for products such as smart thermostats, connected cars, and health and fitness trackers to collect data using sensors that is shared over telecommunication networks. A U.S. Federal Trade Commission staff report found that ubiquitous data collection and the potential for unexpected uses of data are the two most serious privacy risks of IoT. “A major challenge in this environment is how to convey meaningful information about privacy risks in order to inform the user’s decision whether or not to provide consent,” said the discussion paper.
“Consent is not a meaningful concept when it comes to defining people’s privacy rights,” said Daniel Michaluk, a Toronto privacy and data security lawyer with Hicks Morley Hamilton Stewart Storie LLP. “It does tend to under protect because we do have a problem with properly digesting what we are consenting to. It is just too complicated and there are too many data flows to keep track of and we can’t do it. That’s a problem.”
Éloïse Gratton, the national co-leader of the privacy and data security practice group at Borden Ladner Gervais LLP in Montreal, concurs. “We have a lot of upcoming technologies that are going to challenge this consent model even more,” said Gratton, who has published several books on privacy . “The consent model makes sense in theory but it’s no longer realistic. The technologies are too complex. It’s hard to use consent as a tool to make sure that people’s privacy and personal information is protected.”
The OPC proposes a series of “solutions” to deal with the challenges facing the current consent model, none of which will likely be a panacea, said the discussion paper. A combination of mechanisms that take into account that consent should not be a burden for individuals or organizations nor a barrier to innovation will likely be contemplated. Many of the proposed solutions focus on making consent “more meaningful” and making it easier for individuals to understand so that they can make informed choices. The current consent-based model of privacy protection for instance could strengthened by ensuring that there is greater transparency in privacy policies and notices. The use of third-party intermediaries who could set privacy preference profiles may be worth a look as are technology specific safeguards that have built-in compliance mechanisms, said the OPC. The internationally-recognized Privacy by Design (PbD) concept, which imposes obligations to account for privacy when creating products and systems, too is an option – and is a route chosen by the European parliament after it approved this spring tougher data privacy rules that enshrine the right to be forgotten. The new General Data Protection Regulation (GDPR), which governs the use and privacy of European Union citizens’ data, compels organizations to incorporate PbD principles into the development of business processes for products and services.
The OPC discussion paper also contemplates alternatives to the traditional approach to consent, such as the de-identification of data and types of information that may not necessarily require consent or “no-go zones” which prohibit the collection, use or disclosure of personal information in certain circumstances. The OPC would also consider the notion that consent is not always practical in some situations, as is the case in the new European Union framework. In the EU legitimate business interests can be cited as grounds for lawful processing without consent, except in cases where fundamental rights come into play. Also on the table are codes of practice that provide practical guidance to industry best practices, privacy accountability seals, and greater enforcement powers for the OPC.
“What we ultimately need is some sort of model that tells us what is and what is not permissible,” said Michaluk. “We have suggestions on how we might structure our thinking about it but there are no suggestions in the paper that talk about what that model might look like. That’s what we need. I don’t know what it looks like, and I don’t think anybody really does. It is the fundamental problem.”
But Gratton warned that before amending PIPEDA on consent, one should make sure that changes will not be “detrimental or problematic” following the emergence of new technologies. PIPEDA’s wording towards consent is flexible, maintained Gratton. It can accommodate new technologies and business models as well new social norms that may arise in connection with upcoming technologies or business practices, added Gratton. She raises the possibility of using a risk-based approach that focuses on the risk of harm which would reduce the burden of the notification obligation and concurrently the consent obligation. While it would “imply some rethinking to some extent” of PIPEDA’s current consent model, the risk-based approach could be incorporated into PIPEDA, said Gratton.
Klein leans towards an approach that would both ease consent requirements and strengthen them. A good example are Canadian banks which are governed by a robust regulatory regime that has earned the confidence and trust of consumers. “If we developed in the privacy field a robust and mature set of legislative principles overseen by a robust regulatory regime then maybe we can sort of start getting that same sense of comfort and confidence in organizations,” added Klein.
This story was originally published in The Lawyers Weekly.
A call by Canada’s privacy watchdog to the life and health insurance industry to voluntarily refrain from requesting clients for access to existing genetic test results is going to be ignored, setting the stage for a divisive debate over access and the use of such personal information.
After consulting stakeholders, commissioning research papers, and holding roundtables in the area of genomics and privacy, the Office of the Privacy Commissioner of Canada issued an eight-page policy statement asking the health and life insurance industry to extend their decade-long voluntary ban against asking applicants or existing policy holders to undergo genetic testing. More controversially, the OPC is also asking the industry to extend the moratorium to applicants who have already taken genetic tests. But the OPC’s policy statement is not definitive. Recognizing that the state of medical technology is changing rapidly, it admits that its position should be reviewed periodically.
“The thing that really jumped at me is that the OPC’s finding is preliminary, qualified, and based on its own research,” noted Daniel Michaluk, chair of information management and privacy practice group at Hicks Morley Hamilton Stewart Storie LLP in Toronto. “If the industry thinks it has a different justification, based on evidence or facts, that may in fact justify the use of genetic testing, that may change the (OPC’s) conclusion.”
With genetic testing becoming quicker, more affordable, and more readily available, growing number of Canadians are turning to genetic testing for reproductive planning, to explore their ancestry, or to find out whether they have a genetic predisposition to diseases. Others still undergo genetic testing to participate in long-term research projects such as Canada’s ambitious Personal Genome Project, which is recruiting volunteers willing to share their genome sequence with scientists to study.
Canada is the only G-8 country without a policy or legislation on the use and collection of genetic information for non-research or health purposes. The legislative absence has spurred privacy concerns and fears that individuals will be discriminated against because of genetic markers and be denied coverage or be charged prohibitively expensive rates.
“This is a strongly-worded recommendation,” said Carman Baggaley, senior international strategic policy analyst at the OPC. “We certainly hope that the industry will take it seriously. We’ve had what we thought was a positive dialogue with representatives of the industry.”
But the life and health insurance sector intends to stand its ground. While it will not “under any circumstances” ask applicants or existing policy holders to undergo genetic testing, the industry does expect clients who have already taken genetic tests to share those results with life and health insurers, said Frank Zinatelli, vice-president and general counsel to the Canadian Life and Health Insurance Association Inc., a non-profit industry group.
The notion of “good faith” and “material information” lies at the heart of the conflicting positions. The industry maintains that insurance contracts are based on good faith, and that both parties have an obligation to disclose any information that may be relevant to the contract – a principle that is entrenched in insurance legislation in each province. Genetic test results are deemed by the industry to be material information because it allows insurers to be able to properly assess risks associated with clients and to charge “correct levels” of premiums, said Zinatelli. “The insurance industry has been dealing with sensitive information from the very beginning,” added Zinatelli. “We have in place safeguards and protections so that information is maintained consistent with all privacy rules now in place.”
The privacy watchdog is far from convinced. The policy statement asserts that the industry association does not define what constitutes material information. Nor does the industry differentiate between different types of genetic tests or the purposes for which the testing was done, according to the statement. “Where we disagree is around the issue of what’s material,” said Baggaley. “It would certainly appear that all of these tests are not material, and that from a consumer’s perspective it would be desirable if there was clarity around the concept of what is material.”
The OPC has yet more concerns, principally centering around the notion of reasonableness. After examining the issue through the use of a four-pronged test, the OPC concluded that the collection and use of existing genetic test results does not appear to be necessary at present, that the validity and accuracy of individual genetic tests cannot always be guaranteed, that its collection and use is not proportionate to the benefits the industry would gain from using test results, and that there are other less privacy invasive alternatives available to the industry. (See sidebar).
“The four-point test is a bit of a sticky point for organizations, and the OPC has applied it differently at different times,” said Michaluk. “It’s not about consent at all. It’s about reasonableness and proportionality. The fourth part of the test, involving less privacy invasive alternatives, is the one that organizations view as the most aggressive because it tends to rule out better means that are more intrusive – and it has been applied in a very strict manner.”
Other privacy experts, while sympathetic to the industry’s position, warn life and health insurers that to ignore the OPC’s policy statement is to do so at their peril. The Privacy Commissioner has very broad investigative powers and the ability to take organizations to court, said David Fraser, a privacy lawyer with McInnes Cooper in Halifax. While the Privacy Commissioner can only make recommendations, and not orders, under the Personal Information Protection and Electronic Documents Act (PIPEDA) the Commissioner may apply to the Federal Court for a hearing. The Federal Court in turn can order an organization to change its practices and award damages to a complainant.
“There is also a potential public relations fallout if it ends up in the media that the Privacy Commissioner specifically told you not to do this, and you went out and did it anyway,” said Fraser. “So they should be cautious and prudent and think twice before they went out against the statement.”
That the OPC forged ahead with a policy statement without launching an investigation into the matter is unusual and revealing, said Kris Klein, a privacy lawyer with NNovation LLP in Ottawa. The OPC has long complained that they do not have enough powers to compel organizations to comply, pointed out Klein. “When you read their statute, they do have the power to conduct research but it is the way that they are sort of using it as an enforcement tool that I think is quite interesting,” said Klein, who has advised the Privacy Commissioner. “It is an indication that they are frustrated with their own powers, and they are really pushing the envelope when it comes to trying to find other ways to get compliance.”
Privacy experts are concerned about the reach of genetic testing and its privacy implications, but they are also mindful that life and health insurance companies need to make fully informed decisions based on risk, which is why all have praised the OPC for demonstrating “sensible flexibility.”
“They want to reserve for themselves freedom of action in the event that they are presented with a case,” said Fraser. “The amount of information you can get from genetic material is going to change over time, and so too is its reliability. Under PIPEDA, you can only collect information that is reasonable and necessary, and because PIPEDA is principle-based, what is reasonable and necessary can change over time. Their conclusion shows some sensible flexibility.”
The OPC used a four-point test to analyze the issue of whether genetic test results should be used by health and life insurance industry:
Is the collection and use of this personal information necessary to achieve a business legitimate business purpose?
Is the personal information likely to be effective in achieving that purpose?
Is the collection and use proportionate to the benefits gained?
Workplace privacy, an issue few seriously thought about even a decade ago, has become a conundrum for employers. The ubiquitous presence of mobile technology, the explosive evolution of social media coupled with shifting and seemingly contradictory attitudes towards privacy as well as an evolving legal landscape have left in-house counsel in a quandary. Even outside of work, questions linger around the scope of employee privacy and the extent to which employers can keep tabs on employees.
No wonder then when Borden Ladner Gervais LLP recently ran a seminar on workplace privacy in Toronto in the wake of a much publicized Supreme Court of Canada ruling that has divided privacy lawyers over its significance, the turnout out was nearly twice as much as expected. “Privacy is on people’s minds,” says Robert Weir, an employment lawyer who led the seminar. “People don’t understand it, don’t get it.”
The privacy legal environment in Canada is bewildering. Privacy is governed by a patchwork of privacy legislation, individual employment contracts, and Charter rights that have sought to strike the appropriate balance between employers’ rights to monitor employees and employees’ rights to privacy. What’s more, the nature and scope of protection given to an employee’s personal information varies according to the provinces; only Alberta, British Columbia, and Quebec have enacted privacy legislation. And while there is a fairly rich body of Canadian labour arbitration decisions on employee privacy rights on workplace computers, Canadian jurisprudence emanating from the appellate level is sparse, points out Daniel Michaluk, a leading privacy lawyer with Hicks Morley Hamilton Stewart Storie LLP.
That’s why all eyes were on the nation’s highest court. In a ruling hailed by some as significant and bemoaned by others for failing to provide the kind of clarity employers hoped for, the Supreme Court unanimously held in R. v. Cole 2012 SCC 53 that employees have a diminished, but reasonable, expectation of privacy in personal information stored on an employer-issued computer, “at least where personal use is permitted or reasonably expected.” While an employer’s ownership of a laptop, its workplace policies and practices, and the technology in place can diminish an employee’s reasonable expectation of privacy, it does not eliminate it, added the Supreme Court. “Whatever the policies state, one must consider the totality of the circumstances in order to determine whether privacy is a reasonable expectation in the particular situation,” wrote Justice Fish for the majority.
The ruling, however, fell short of meeting expectations. The Court’s expectation of privacy is principled and broad, providing no clear-cut guidelines that may help employers or employees to navigate the murky concept surrounding privacy. Or as Justice Fish put it: “I leave for another day the finer points of an employer’s right to monitor computers issued to employees.” Dean Dolan, vice-president, associate general counsel and privacy officer at Wal-Mart Canada Corp. said that privacy experts are a “little bit frustrated” because the SCC “didn’t dive in definitively to make a decision in the privacy area.”
Nevertheless, like other privacy lawyers, Dolan describes the ruling as an authoritative first step. Michaluk, who represented the Canadian Association of Counsel to Employers who were interveners in the case, concurs. Depicting the decision as an evolution in privacy law, Michaluk says the ruling is significant because the expectation of privacy in the workplace has been recognized. “It isn’t necessarily preclusive though because it is only the starting point, it is only a condition for making a privacy claim,” notes Michaluk. “The court said nothing about what employers can and cannot do despite that privacy claim.”
Indeed, though the Supreme Court found that employees have a diminished, but reasonable, expectation of privacy, it does not restrict management from acting in spite of that right. And that is viewed by privacy experts as a positive development for employers even though many will now have to face the fact that the simple “no expectation of privacy” disclaimer no longer holds true. “The old view that we give you a laptop and we can do whatever the heck we want is clearly not supported by the Supreme Court,” says Winnipeg privacy lawyer Brian Bowman, past chair of the Canadian Bar Association’s National Privacy and Access Law Section. “The ownership of the device is not in itself determinative in respect of accessing data on the devices.”
Where the issue becomes even more complicated is with the advent of a growing new trend that encourages, if not compels, employees to bring their own personal devices such as smart phones, tablets, and laptops to work to perform work-related tasks. Some 48 per cent of U.S. workers are allowed to use personal devices for work, according to the National Cyber Security Alliance and McAfee in an October 2012 report. In Canada that figures rests at 28 per cent, and is expected to top 35 per cent in two years.
While security is obviously one of the top concerns for employers, if only because sensitive data is literally walking out the company door day in, day out, the bring-your-own-device (BYOD) trend also raises a host of workplace privacy dilemmas, none of which have yet been addressed by the courts. That was one of the hot topics at the BLG seminar, and one that Wal-Mart Canada has grappled with. “We kind of finally have accepted the fact that it’s going to happen and so we developed a comprehensive policy which states that if you have work material on your personal device we as an employer have a limited interest in it, a limited right to that work product,” says Dolan.
But whether such a policy will hold up in court is anybody’s guess. One privacy lawyer said he had no idea if employers are allowed to look at the devices since there are issues of personal privacy connected with employer monitoring of a personal device. At the very least employers will have to wrestle with the fact that the expectation of privacy with personal devices is far greater than it is with company-issued devices, says Bowman. “The onus is clearly on employers to proactively educate their staff about what their rights are and how their privacy may be diminished in the workplace,” says Bowman, a partner with Pitblado LLP in Winnipeg.
In fact it could be argued that an employee’s privacy is diminished even outside of the workplace thanks to the pervasive presence of social media. Generally what employees do on their own time is their own business except when it has dire consequences on the employer. Employers are entitled to protect their assets, investment, reputation and brand as well as have a duty to provide a safe and harassment-free working environment. Social media highlights the tension between an employee’s right to privacy and the employer’s right to manage.
“Certainly if you are trying to manage your employee’s use of social media in the workplace, that is one thing but from a privacy law perspective what is challenging is that much of the social media usage by employees is occurring after work hours,” says Bowman. Numerous employees have been disciplined or fired on grounds that include breach of the duty of loyalty, breach of confidentiality and insubordination after making questionable comments through social media. In one case the British Columbia Labour Relations Board upheld the dismissal of two employees who made “offensive, insulting and disrespectful comments” about their supervisors on their Facebook accounts.
“Employees complain about work – let’s face it but ten years ago employees would have had that conversation in a bar after work and it would have died,” remarks Weir. “Now it stays there forever and it makes much easier for employers to discipline employees because there is a clear record of what they are saying. Employees have to be careful right now about what they think is private and what they think is off-duty.” All the more reason, says Bowman, for employers to develop and implement social media policies that extend beyond the work hours. “Social media policies go a long way to reminding and educating employees of their existing obligations and what’s proper and improper.”
But even when employers put in place clear workplace privacy and computer-use policies, it should take steps to assess the potential for employees to access and abuse information pertaining to other employees, customers and the general public. An Ontario Court of Appeal ruling rendered last year that recognized a new tort relating to privacy rights, or “intrusion upon seclusion” as they describe it, serves as a stark reminder over the importance of taking such steps. InJones v. Tsige, 2012 ONCA 32, the appeal court ruled that to make out a tort of intrusion upon seclusion, the plaintiff must prove that the defendant intentionally or recklessly intruded upon the plaintiff’s private affairs or concerns to the degree that a reasonable person would find highly offensive. Proof of loss is not necessary to recover damages.
The ruling, according to some privacy lawyers like Dolan, opens the door for potentially costly litigation and increased risk for Ontario employers. Weir agrees. “When employers are thinking about going to look into their employee’s emails even randomly, there is a potential liability now for employers in terms of how they deal with their employee’s privacy so having a clear policy and complying with that policy is important to address that liability,” says Weir.
With a growing number of employees who have integrated the Internet and social media into every aspect of their work and personal lives, there is no escaping that privacy matters will loom large for in-house counsel. As Bowman points out “on the one hand there has been a growing expectation of privacy, yet on the other what is seen as public and private has changed between generations.” The challenge for in-house counsel, says Dolan, is to keep on top of a sector that is constantly evolving – and “that’s tough.”
This story was originally published in the magazine In-House Counsel.
On the eve of a statutory five-year review of the legislation governing federally-regulated private-sector organizations, the Privacy Commissioner of Canada is openly calling into question the effectiveness of the ombudsman model to regulate private-sector practices for the protection of personal information in light of the recent spate of high-profile data breaches that have compromised the personal information of Canadians.
In the midst of reviewing Canada’s privacy accountability model before submitting a report to the federal government, Jennifer Stoddart will likely ask the government to consider introducing “meaningful sanctions as data breaches are getting totally out-of-hand” and a mandatory requirement for private-sector organizations to report significant data breaches to the Privacy Commissioner and affected individuals, something that the Canadian Parliament was considering before it was dissolved last spring for the elections.
“Within the next four, five months I am going to take a position of what kind of powers the Privacy Commissioner should have in the 21st century,” said Stoddart, who is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Office of the Privacy Commissioner of Canada (OPC) has the mandate of overseeing compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), will undergo a five-year review this fall.
“If that were to be the way we go, this would be a departure from certainly part of the ombudsman model. I guess it is this model fundamentally that I am asking to be examined – is it the most appropriate one particularly for the largely on-line environment of personal information used now,” added Stoddart, Canada’s Privacy Commissioner since 2003.
Stoddart’s reflections over the efficacy of the ombudsman model appears to coincide with the release of a report commissioned by the Privacy Commissioner that recommends granting the OPC additional powers such as the ability to levy fines and limited order-making powers aimed at small and medium sized businesses. The current ombudsman model, while “particularly well suited” to the first phase of regulating industry, does not appear to be as well suited to the small and business sector, where compliance rates are lower and the risk to personal information is greater, says the report, penned by Université de Montréal professor France Houle and Osgoode Hall Law School Dean Lorne Sossin.
“The ombudsman model is based on finding solutions through consensus, and to fine a business that does not comply with the statute is contrary to the very foundation of the ombudsman model,” noted Houle, an administrative law scholar who, along with Sossin, is part of a team assisting the Privacy Commissioner with the review she is now conducting. “We believe that if Parliament agrees with the Commissioner that order-making power should be conferred to the OPC then the OPC should be transformed into another type of board like a regulatory board such as the Canadian Radio-television and Telecommunications Commission.”
Stoddart, though, is far from convinced that “another type of public agency” needs to be established, pointing out that she is far from certain that “we are at a time” where yet more public agencies need to be created. “There are probably enough public agencies,” said Stoddart.
At present, the federal Privacy Commissioner has weaker powers than her counterparts in Alberta, British Columbia and Quebec who oversee substantially-similar private sector legislation. Unlike the other commissioners, Stoddart does not have the power to make orders, requiring organizations to comply with PIPEDA. She can only make “recommendations.”
The statutory five-year review of PIPEDA may prove to be an ideal opportunity to adopt a hybrid ombudsman model approach, says Kris Klein, a privacy lawyer with nNovation LLP in Ottawa. Klein points out that in Alberta and BC, the privacy commissioner will take a preliminary look at a case, try to deal with it informally, either through early resolution or mediation, and failing that then the matter heads towards an inquiry, a formal adjudicative proceeding in which the Commissioner receives submissions from all parties involved in the matter and decides all issues of fact and law. An inquiry concludes with the issuance of an order, which may be reviewed only by way of an application for judicial review before the Court of Queen’s Bench of Alberta.
“A lot of industry has been waiting and not adapting changes to their personal information handling practices because of the lack of significant consequence in the law,” said Klein. “So for those companies that have taken the time to make changes, I think they are going to sort of applaud the idea of legislation with more teeth because their competitors will have to take it more seriously too.”
Before making any changes to the ombuds model, noted privacy expert David Fraser suggests the need for a thorough debate to make sure “whether or not it is a correct choice to make.” Adequate procedural safeguards would have to be established if the federal Privacy Commissioner is granted order making powers or the ability to levy fines, says Fraser, a partner with McInnes Cooper.
“If all of a sudden, she has order-making powers that brings into one person or one office the roles of advocate, prosecutor and judge that is problematic generally speaking from an administrative point of view because you are mixing up what otherwise are very discreet roles in order to avoid actual bias or apprehension of bias,” said Fraser, who added that the current system, while not perfect, “is pretty good, better than systems in a number of other jurisdictions.”