British Columbia Modifies Data Residency Requirements in Response to COVID-19

British Columbia has temporarily modified its Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (“FIPPA“) to lift a requirement that personal information handled by public sector agencies, and service providers to those public sector agencies, be kept in Canada.

Under the Order, made on March 26, 2020, “health care bodies”, the Province and certain provincial health-related authorities and ministries may now disclose personal information inside or outside of Canada in accordance with s. 33.2(a) and (c) of FIPPA on the condition that the disclosure is necessary:

a. for the purposes of communicating with individuals respecting COVID-19,
b.

Read More

Privacy During a Pandemic: Privacy Commissioners Issue Guidance

On March 20, 2020 the Office of the Privacy Commissioner of Canada (“OPC“) issued its guidance for privacy during a pandemic. The guidance, Privacy and the COVID-19 outbreak, deals primarily with the ability of an organization to handle personal information during a health emergency. Similar guidance was issued by the Privacy Commissioners in seven other provinces and is linked to within the OPC’s guidance.

Businesses hopeful that there would be some flexibility in the interpretation of the privacy laws during the COVID-19 pandemic will be disappointed. The OPC’s guidance does not offer any information on how businesses – many of which are being forced to rapidly retool existing processes or adopt new digital ones – can think differently about privacy or indicate that the OPC may interpret privacy laws more leniently in the context of an emergency.

Read More

Four of a kind: Ontario Recognizes the Fourth Privacy Tort – False Light

In late 2019, the Ontario Superior Court recognized the tort of placing a person in a false light for the first time. This landmark decision completes the set of four privacy torts, which are now all recognized in Ontario, and has implications for businesses.

For background on the three other privacy torts, intrusion upon seclusion was recognized by the Ontario Court of Appeal in Jones v Tsige in 2012. Following this landmark ruling, in 2016 and again in 2018, the Ontario Superior Court recognized the tort of public disclosure of private facts.[1] Misappropriation of personality has been recognized in Ontario since the 1970s.[2]

Read More

Changes Coming to British Columbia’s Privacy Law

On February 18, 2020, the British Columbia Legislature appointed a special committee to review that province’s Personal Information Protection Act (“PIPA“), the private sector privacy law applicable to British Columbia organizations.

PIPA came into effect in January 2004, and pursuant to s. 59, a special committee must review the Act every 6 years and submit a report. The report may include recommended amendments. In a period in which numerous privacy laws, both domestic and international are being revised, the move by the province comes as no surprise.

Also under review in a separate process is the federal private sector legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA“).

Read More

At What Point Does the Failure of an Organization’s Security Safeguards Amount to Recklessness?

The tort of intrusion upon seclusion, as set out by the Ontario Court of Appeal in Jones v Tsige, requires the defendant’s conduct to be intentional, or, at a minimum, reckless. The question is: at what point does the failure of an organization’s security safeguards amount to recklessness? This was the question addressed by the Ontario Superior Court of Justice in the recent case, Wilson-Flewelling v Queensway Carleton Hospital, 2019 CanLII 65155 (ON SCSM) (“Queensway Carleton Hospital”).

The facts

The court heard that the Plaintiff, Ms. Wilson-Flewelling, had attended the defendant hospital (“Hospital”) to book a surgical procedure, that the Hospital’s medical office administrator had left a completed surgical booking package in the Hospital’s dedicated, locked drop box, and that the Plaintiff had unexpectedly received the package in the mail a week later.

Read More

Privacy Commissioner Issues Notice of Consultation on Artificial Intelligence

The Office of the Privacy Commissioner of Canada (“OPC“) has released a Consultation Paper on artificial intelligence (“AI“), saying that it is of the opinion that “responsible innovation involving AI systems must take place in a regulatory environment that respects fundamental rights and creates the conditions for trust in the digital economy to flourish. “

The OPC intends to examine AI in the context of the legislative reform policy analysis as it relates specifically to the Personal Information Protection and Electronic Documents Act (“PIPEDA“). The OPC is clear that it has concerns about AI, stating:

“In our view, AI presents fundamental challenges to all PIPEDA principles and we have identified several areas where the Act could be enhanced.”

Read More

Deepfakes, Risk and Liability

“A lie gets halfway around the world before the truth has a chance to get its pants on.”

– variously attributed

As artificial intelligence (AI) advances it creates both benefits and dangers, and few applications illustrate that fact better than the emergence of “deepfakes.” A portmanteau of “deep learning” and “fake,” deepfakes are AI-generated audios or even videos of real people saying fake things. While, in the case of videos at least, it is still reasonably easy to distinguish between a deepfake and the genuine article, the gap is narrowing and it may not be long before seeing is no longer believing.

Read More