Privacy Archives - Dentons Data

British Columbia Modifies Data Residency Requirements in Response to COVID-19

Posted on April 4, 2020 By Kirsten Thompson
Categories: COVID-19, Data Localization, Legislation, Privacy

British Columbia has temporarily modified its Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (“FIPPA“) to lift a requirement that personal information handled by public sector agencies, and service providers to those public sector agencies, be kept in Canada.

Under the Order, made on March 26, 2020, “health care bodies”, the Province and certain provincial health-related authorities and ministries may now disclose personal information inside or outside of Canada in accordance with s. 33.2(a) and (c) of FIPPA on the condition that the disclosure is necessary:

a. for the purposes of communicating with individuals respecting COVID-19,
b.

Privacy During a Pandemic: Privacy Commissioners Issue Guidance

Posted on March 20, 2020 By Kirsten Thompson
Categories: Guidance, Privacy

On March 20, 2020 the Office of the Privacy Commissioner of Canada (“OPC“) issued its guidance for privacy during a pandemic. The guidance, Privacy and the COVID-19 outbreak, deals primarily with the ability of an organization to handle personal information during a health emergency. Similar guidance was issued by the Privacy Commissioners in seven other provinces and is linked to within the OPC’s guidance.

Businesses hopeful that there would be some flexibility in the interpretation of the privacy laws during the COVID-19 pandemic will be disappointed. The OPC’s guidance does not offer any information on how businesses – many of which are being forced to rapidly retool existing processes or adopt new digital ones – can think differently about privacy or indicate that the OPC may interpret privacy laws more leniently in the context of an emergency.

Four of a kind: Ontario Recognizes the Fourth Privacy Tort – False Light

Posted on March 12, 2020 By Kirsten Thompson and Meredith Bacal
Categories: False Light, Litigation, Privacy

In late 2019, the Ontario Superior Court recognized the tort of placing a person in a false light for the first time. This landmark decision completes the set of four privacy torts, which are now all recognized in Ontario, and has implications for businesses.

For background on the three other privacy torts, intrusion upon seclusion was recognized by the Ontario Court of Appeal in Jones v Tsige in 2012. Following this landmark ruling, in 2016 and again in 2018, the Ontario Superior Court recognized the tort of public disclosure of private facts.[1] Misappropriation of personality has been recognized in Ontario since the 1970s.[2]

Changes Coming to British Columbia’s Privacy Law

Posted on February 26, 2020 By Kirsten Thompson
Categories: Data, Legislation, Privacy

On February 18, 2020, the British Columbia Legislature appointed a special committee to review that province’s Personal Information Protection Act (“PIPA“), the private sector privacy law applicable to British Columbia organizations.

PIPA came into effect in January 2004, and pursuant to s. 59, a special committee must review the Act every 6 years and submit a report. The report may include recommended amendments. In a period in which numerous privacy laws, both domestic and international are being revised, the move by the province comes as no surprise.

Also under review in a separate process is the federal private sector legislation, the Personal Information Protection and Electronic Documents Act (“PIPEDA“).

At What Point Does the Failure of an Organization’s Security Safeguards Amount to Recklessness?

Posted on January 30, 2020 By Luca Lucarini
Categories: Class Actions, Data, Intrusion upon Seclusion, Litigation, Privacy

The tort of intrusion upon seclusion, as set out by the Ontario Court of Appeal in Jones v Tsige, requires the defendant’s conduct to be intentional, or, at a minimum, reckless. The question is: at what point does the failure of an organization’s security safeguards amount to recklessness? This was the question addressed by the Ontario Superior Court of Justice in the recent case, Wilson-Flewelling v Queensway Carleton Hospital, 2019 CanLII 65155 (ON SCSM) (“Queensway Carleton Hospital”).

The facts

The court heard that the Plaintiff, Ms. Wilson-Flewelling, had attended the defendant hospital (“Hospital”) to book a surgical procedure, that the Hospital’s medical office administrator had left a completed surgical booking package in the Hospital’s dedicated, locked drop box, and that the Plaintiff had unexpectedly received the package in the mail a week later.

Privacy Commissioner Issues Notice of Consultation on Artificial Intelligence

Posted on January 29, 2020 By Kirsten Thompson
Categories: Artificial Intelligence, Data, Privacy

The Office of the Privacy Commissioner of Canada (“OPC“) has released a Consultation Paper on artificial intelligence (“AI“), saying that it is of the opinion that “responsible innovation involving AI systems must take place in a regulatory environment that respects fundamental rights and creates the conditions for trust in the digital economy to flourish. “

The OPC intends to examine AI in the context of the legislative reform policy analysis as it relates specifically to the Personal Information Protection and Electronic Documents Act (“PIPEDA“). The OPC is clear that it has concerns about AI, stating:

“In our view, AI presents fundamental challenges to all PIPEDA principles and we have identified several areas where the Act could be enhanced.”

Privacy Commissioner Backs Down on Changes to Cross Border Transfers

Posted on September 24, 2019 By Kirsten Thompson
Categories: Privacy

The Office of the Privacy Commissioner of Canada (“OPC“) has backed away from attempting to reverse its position on cross border transfers of personal information, saying that at least for now, its guideline for processing data across borders remains unchanged.

The Reversal

The OPC created controversy in its Equifax Finding, wherein it declared that consent was necessary for transfers for processing, a wholesale departure from its previous position. The OPC simultaneously announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposed a reversal of the two-decades old existing policy on consent.