Information, Privacy and Data Security Post

Hicks Morley Information and Privacy Post – 2011/2012

Information, Privacy and Data Security Post

Hicks Morley Information and Privacy Post – 2011/2012

Date: August 21, 2012

Dear Friends:

It’s late August 2012, and here’s what’s on our minds.

Our Information and Privacy Post is back. This edition contains 61 case summaries relating to the protection of confidential business information, electronic evidence, freedom of information, privacy, privilege and production.

It has been a remarkable year. Canadian privacy law, in particular, has made a significant shift. With its decision in Jones v Tsige (page 12), the Court of Appeal for Ontario recognized a new common law privacy right. This new tort applies narrowly – to intentional “intrusions” into private affairs – and includes a “highly offensive” standard that defendants can rightly view as prophylactic. Jones v Tsige, however, opens a door. “What’s next?” is the right question to ask.

Will Canadian courts, for example, recognize a cause of action for public disclosure of private facts? Will damage be presumed and, if so, what kind of damage? If liability flows from mere disclosure, will due diligence be a defence? How will the standard of care be calibrated?

Some clarity would be nice given data breach litigation in Canada is now a reality. In the Rowlands case (page 17), the Ontario Superior Court of Justice approved a settlement that was structured on an assumption that the compensable damages suffered by class members would be minimal to non-existent. Justice Lauwers followed a Québec decision from earlier in the year called Mazzona (page 16), in which the Québec Superior Court dismissed a motion for certification because a data breach class action could not be founded on “potential damage” and the petitioner failed to establish she suffered compensable psychological damage. While positive, the real prospect of data breach class action claims that, even with a reasonable defence, might expose an organization to the kind of counsel fees agreed to be paid in Rowlands is certainly a call to data security “behavior modification.”

That kind of behavior modification certainly hasn’t flown from our federal commercial sector privacy statue – the Personal Information Protection and Electronic Documents Act. This statute, which governs the collection, use and disclosure of personal activity in the course of commercial activity in seven out of ten provinces and the three territories, has produced a trail of cases in which applicants have established liability but received very moderate damages or no damages at all (see the cases we’ve indexed under “PIPEDA damages judgments”). While the Office of the Privacy Commissioner of Canada has used PIPEDA to achieve some high-profile successes in dealing with Facebook, it seems the statute is most notorious for causing the frustration of provincial superior court judges, who don’t quite know what to make of it (see the cases we’ve indexed under “Awkward privacy cases”). With amendments that arose from a parliamentary review that commenced way back in 2006 languishing, one might question whether the statute will hold its relevance. The OPC is aware of this issue, and has begun lobbying for the power to impose administrative monetary penalties and make orders, a development for organizations to watch.

So what if privacy protection becomes the responsibility of our judges? Ontario Commissioner Anne Cavoukian made the news this year when she said she’s lost faith in the inclination of judges to protect individual privacy. I don’t agree. Judges are rightly conservative in making new policy. Their effective stewardship of rights under section 8 of the Canadian Charter of Rights and Freedoms shows they are not out of touch with privacy, though judges from Alberta deserve note for routinely trouncing upon the Office of the Information and Privacy Commissioner of Alberta. The most recent trouncing, in United Food and Commercial Workers (page 13), rivals Jones v Tsige for privacy decision of the year and raises some fundamental questions about the permissible scope of privacy legislation under the Charter. The Alberta OIPC has filed leave to appeal to the Supreme Court of Canada.

So these are very interesting times. The change is real and significant. We hope this document helps you get up to date and equipped for the information management and privacy issues coming your way. Of course, if we can help, please get in touch.

Read the full PDF Hicks Morley Information and Privacy Post – 2011/2012.