Privacy Commissioner Backs Down on Changes to Cross Border Transfers

The Office of the Privacy Commissioner of Canada (“OPC“) has backed away from attempting to reverse its position on cross border transfers of personal information, saying that at least for now, its guideline for processing data across borders remains unchanged.

The Reversal

The OPC created controversy in its Equifax Finding, wherein it declared that consent was necessary for transfers for processing, a wholesale departure from its previous position. The OPC simultaneously announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposed a reversal of the two-decades old existing policy on consent.

Read More

Ontario Adopts Digital Insurance Certificates

An annual tradition in Ontario is an insured driver opening a letter from their insurer with their new or renewed automobile insurance policy, which includes their new “pink card” certificate evidencing their automobile insurance.  This certificate is often requested by police officers during a roadside stop, and shown to other drivers in the event of an automobile accident.

The Ontario government recently approved changes to the “pink card” process which acknowledges the reality of 21st century data storage and sets the stage for further changes to automobile insurance. 

What are the changes?

Motorists now have the option of carrying proof of automobile insurance on their smart phones or other mobile devices and this electronic certificate is required to have the same data fields, text, and overall appearance as the paper certificate.

Read More

Claims for Both Punitive Damages and Damages for Intrusion Upon Seclusion Survive

The Issue

Does entering someone’s house while he is out of the country and stealing his personal documents amount to conduct that is so reprehensible that it might warrant an award for punitive damages on top of damages for breach of privacy? This was the question addressed by the Ontario Superior Court of Justice in Furfari v Pedias, 2019 ONSC 4278 (“Furfari”).

The Facts

The Plaintiff, Mr. Furfari, had previously been friends with the Defendant, Mr. Pedias, and his brother Mario, who was the vice-president of the company that the Plaintiff had previously worked for, and which was now suing him in unrelated action.

Read More

UK Privacy Regulator Publishes Report Critical of AdTech and Real Time Bidding

The rapid development of the online advertising industry and advances in advertising technology have resulted in automated and nearly instantaneous auctions of ad space on websites and other digital environments. This process, known as “Real Time Bidding” (“RTB”), is currently an area of concern for the United Kingdom Information Commissioner’s Office (“ICO”), which recently published an update report (“Update Report”) criticizing the online advertising industry’s handling of data and concluding that standard industry practices are non-compliant with European Union privacy laws.

How Real Time Bidding Works

Sophisticated RTB can be a complex series of processes and interactions, but at its most basic, it refers to a process by which online advertisers compete for an audience.

Read More

Court Finds Language of Privacy Act Precludes Arbitration of Privacy Disputes

Overview

There have been a number of recent decisions in the arbitration space regarding when it is appropriate to stay litigation in favour of arbitration and where it is not. In particular, recent appellate case law (e.g., Wellman, and Heller) discusses and interprets the principle set out in Seidel v. TELUS Communications Inc., 2011 SCC 15 that arbitration clauses will generally be enforced “absent legislative language to the contrary.”

In particular, these cases address whether statutory language in consumer protection and employment legislation constitutes “legislative language to the contrary” that precludes parties from agreeing to arbitrate. However, there was no case law that considered this issue in the context of the various privacy statutes that exist across Canada – until now.

Read More

The Privacy Commissioner, Search Engines and the Media – a Battle Over the “Right to be Forgotten”

In 2018, the Office of the Privacy Commissioner of Canada (“OPC”) began a reference to the Federal Court under subsection 18.3(1) of the Federal Courts Act (the “Reference”) in the context of an OPC investigation into a complaint made by an individual against Google. The complainant alleges that Google is contravening the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by continuing to display links to news articles concerning the complainant when his name is searched using Google’s search engine. He requested that Google remove the articles from search results using his name (otherwise known as de-indexing).

Read More

Defendants Awarded Costs Where Bringing Breach Class Action Was “Questionable”

In the costs motion (Kaplan v. Casino Rama, 2019 ONSC 3310) arising from the litigation regarding the Casino Rama breach, Justice Belobaba awarded costs to the defendant, saying there was neither public interest nor a novel issue sufficient to warrant costs being awarded to the plaintiffs. Justice Belobaba was of the view that the very basis for bringing the class action was questionable, a fact which played a role in the plaintiffs having to pay. This decision may have class counsel more closely scrutinizing the merits of bringing data breach class actions.

Background

In an earlier decision released on May 7, 2019, Justice Belobaba dismissed the plaintiffs’ motion for certification, finding that the proposed class action “collapsed in its entirety” at the common issues stage.

Read More