Contact tracing apps have been identified as a potentially important part of the response to COVID-19 and are now being developed in many jurisdictions, through both public and private initiatives. For example, Singapore has already deployed a contact tracing app and Alberta Health Services is using a similar app, tweaked for their use. Likewise, it has been widely reported that Apple and Google are working together to develop a contact tracing app and the media has covered contact tracing apps in Canada as well (for instance, here, here, here and here). As Dr. Bonny Henry (BC’s chief medical officer) recently joked: “Everybody and their dog has an app out right now”.
When responding to a cyberattack, an organization will likely need to retain external cybersecurity, ransomware and digital forensics experts. Their work product (reports and other documents related to the incident or the organization’s data security practices) may later become the subject of a production request by either a regulator or plaintiff in litigation. It is therefore important to consider in advance if and how such work product may be protected by privilege in order to be able to respond adequately to such a request.
This issue – whether such documents are protected by privilege – arose in a recent decision of the Information and Privacy Commissioner of Ontario (the “IPC”).
Previous Dentons Data blog post have explained the application of privacy laws during this pandemic (see here and here) – hint: they still apply. This post builds on that and addresses the privacy litigation risks associated with any failures to comply with these laws, even – and especially – during this pandemic. We ask: What does COVID 19 mean from a privacy litigation risk perspective, and what can companies do to mitigate that risk?
The Litigation Landscape: Where were we before COVID-19?
Following the Court of Appeal for Ontario’s 2012 decision in Jones v. Tsige, establishing the tort of intrusion upon seclusion, there has been a proliferation of class actions relating to alleged privacy breaches.
A continuing anxiety for Canadian business is their liability for the deliberate wrongdoing of an employee, who for reasons of his or her own, steals personal information and releases it publically. Employers with even the most robust of cybersecurity and privacy protections can still fall victim to a rogue employee.
There is currently no final decision in Canada on whether a corporation can be vicariously liable for the actions of a rogue employee who breaches the privacy of the company’s employees or customers. To date, that issue has been addressed only at the certification stage of class proceedings on a preliminary basis.
There have been a number of recent decisions in the arbitration space regarding when it is appropriate to stay litigation in favour of arbitration and where it is not. In particular, recent appellate case law (e.g., Wellman, and Heller) discusses and interprets the principle set out in Seidel v. TELUS Communications Inc., 2011 SCC 15 that arbitration clauses will generally be enforced “absent legislative language to the contrary.”
In particular, these cases address whether statutory language in consumer protection and employment legislation constitutes “legislative language to the contrary” that precludes parties from agreeing to arbitrate. However, there was no case law that considered this issue in the context of the various privacy statutes that exist across Canada – until now.
In 2018, the Office of the Privacy Commissioner of Canada (“OPC”) began a reference to the Federal Court under subsection 18.3(1) of the Federal Courts Act (the “Reference”) in the context of an OPC investigation into a complaint made by an individual against Google. The complainant alleges that Google is contravening the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by continuing to display links to news articles concerning the complainant when his name is searched using Google’s search engine. He requested that Google remove the articles from search results using his name (otherwise known as de-indexing).
It will come as no surprise that the insolvency of a cryptocurrency exchange can lead to concerns about the recovery of assets (just think about the recent insolvency of the Canadian exchange, QuadrigaCX). The recent insolvency of Cryptopia Limited (“Cryptopia”), a New Zealand-based cryptocurrency exchange, is a good example of how these concerns can play out. It demonstrates the importance of taking steps (both in advance of insolvency, and afterwards) to protect the assets of an insolvent exchange – in this case, to preserve data assets consisting of user account information held by a third party in another jurisdiction that the liquidator needed to determine the owners/potential creditors of millions of cryptocurrency tokens held by the insolvent company.