UK Privacy Regulator Publishes Report Critical of AdTech and Real Time Bidding

The rapid development of the online advertising industry and advances in advertising technology have resulted in automated and nearly instantaneous auctions of ad space on websites and other digital environments. This process, known as “Real Time Bidding” (“RTB”), is currently an area of concern for the United Kingdom Information Commissioner’s Office (“ICO”), which recently published an update report (“Update Report”) criticizing the online advertising industry’s handling of data and concluding that standard industry practices are non-compliant with European Union privacy laws.

How Real Time Bidding Works

Sophisticated RTB can be a complex series of processes and interactions, but at its most basic, it refers to a process by which online advertisers compete for an audience.

Read More

Court Finds Language of Privacy Act Precludes Arbitration of Privacy Disputes

Overview

There have been a number of recent decisions in the arbitration space regarding when it is appropriate to stay litigation in favour of arbitration and where it is not. In particular, recent appellate case law (e.g., Wellman, and Heller) discusses and interprets the principle set out in Seidel v. TELUS Communications Inc., 2011 SCC 15 that arbitration clauses will generally be enforced “absent legislative language to the contrary.”

In particular, these cases address whether statutory language in consumer protection and employment legislation constitutes “legislative language to the contrary” that precludes parties from agreeing to arbitrate. However, there was no case law that considered this issue in the context of the various privacy statutes that exist across Canada – until now.

Read More

The Privacy Commissioner, Search Engines and the Media – a Battle Over the “Right to be Forgotten”

In 2018, the Office of the Privacy Commissioner of Canada (“OPC”) began a reference to the Federal Court under subsection 18.3(1) of the Federal Courts Act (the “Reference”) in the context of an OPC investigation into a complaint made by an individual against Google. The complainant alleges that Google is contravening the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by continuing to display links to news articles concerning the complainant when his name is searched using Google’s search engine. He requested that Google remove the articles from search results using his name (otherwise known as de-indexing).

Read More

Defendants Awarded Costs Where Bringing Breach Class Action Was “Questionable”

In the costs motion (Kaplan v. Casino Rama, 2019 ONSC 3310) arising from the litigation regarding the Casino Rama breach, Justice Belobaba awarded costs to the defendant, saying there was neither public interest nor a novel issue sufficient to warrant costs being awarded to the plaintiffs. Justice Belobaba was of the view that the very basis for bringing the class action was questionable, a fact which played a role in the plaintiffs having to pay. This decision may have class counsel more closely scrutinizing the merits of bringing data breach class actions.

Background

In an earlier decision released on May 7, 2019, Justice Belobaba dismissed the plaintiffs’ motion for certification, finding that the proposed class action “collapsed in its entirety” at the common issues stage.

Read More

Privacy Commmissioner Announces New “Re-Framed” Consultation on Transborder Data Flows

In a further development in the on again/off again transborder data flows consultation, the Office of the Privacy Commissioner of Canada (“OPC”) has announced it is on again.

The OPC made the announcement on June 11, 2019 and characterized this new consultation as a “re-framing” of the prior, withdrawn one. Our commentary on the on again/off again process can be found here, here and here.

The OPC said it had decided to change its approach to consultation in light of the publication by the federal government of its Digital Charter on May 21, 2019 which suggested to the OPC that “transborder data flows may be dealt with in an eventual new federal privacy law.”

The OPC is inviting stakeholder views both on how the current law should be interpreted and applied in these contexts, and on how a future law should provide effective privacy protection in the context of transfers for processing.

Read More

UK Draft Code for Children’s Privacy has Broad Scope, Could Influence Canadian Approach

Children’s privacy is increasingly in the regulatory spotlight, and a new consultation paper from the UK suggests that even organizations which do not specifically target children may have regulatory obligations. Canada doesn’t currently specifically regulate children’s privacy, but in light of the Office of the Privacy Commissioner of Canada’s (“OPC”) recent Guidelines for Obtaining Meaningful Consent (“Meaningful Consent Guidelines”), the OPC may take a similarly broad approach to the interpretation and application of privacy laws.

UK Information Commissioner’s Approach

On May 31, 2019, the UK’s Information Commissioner’s Office (“ICO”) wrapped up a month and a half long public consultation on its draft Age appropriate design code of practice (“Code of Practice”).

Read More

Court of Appeal Clarifies Limitations Period in Alberta Privacy Actions

On May 12, 2019, the Alberta Court of Appeal released a decision from a summary dismissal application that should resolve any confusion that may have arisen at the crossroads of that province’s limitations act and its privacy legislation, the Personal Information Protection Act, SA 2003, c P-6.5 (“PIPA”).

In Alberta, in order to have a cause of action related to a privacy breach claim, claimants must first go before the Office of the Information  and Privacy Commissioner of Alberta (“AB OIPC”) and obtain a final order against an organization. Only then does a claimant have a cause of action against the organization for damages for loss or injury that the individual has suffered as a result of the breach by the organization.

Read More