The Competition Bureau Reviews Privacy Statements for “false or misleading” Representations, Levies $9 Million Fine

The worlds of competition law and privacy law have been spinning closer together in Canada for the past several years. In the Competition Bureau’s Big Data and Innovation paper released in February 2018, the Bureau stated that its “mandate to ensure truth in advertising may overlap with the OPC’s [Office of the Privacy Commissioner’s] mandate to protect privacy rights. Both mandates are important to protect consumers in the digital economy. The Bureau will continue to enforce provisions of the Act even if the offending actions may be subject to enforcement under PIPEDA.” 

The Bureau has reiterated this statement (and approach) in a series of speeches, reports and guidance, in which the Bureau has signalled that it would aggressively pursue its goal of enforcing competition law in the digital economy.

Read More

Contact Tracing Apps in Canada

Contact tracing apps have been identified as a potentially important part of the response to COVID-19 and are now being developed in many jurisdictions, through both public and private initiatives. For example, Singapore has already deployed a contact tracing app and Alberta Health Services is using a similar app, tweaked for their use. Likewise, it has been widely reported that Apple and Google are working together to develop a contact tracing app and the media has covered contact tracing apps in Canada as well (for instance, here, here, here and here). As Dr. Bonny Henry (BC’s chief medical officer) recently joked: “Everybody and their dog has an app out right now”.

Read More

Information and Privacy Commissioner of Ontario Rejects Privilege Claim, Orders Production of Cybersecurity Report

When responding to a cyberattack, an organization will likely need to retain external cybersecurity, ransomware and digital forensics experts. Their work product (reports and other documents related to the incident or the organization’s data security practices) may later become the subject of a production request by either a regulator or plaintiff in litigation. It is therefore important to consider in advance if and how such work product may be protected by privilege in order to be able to respond adequately to such a request.

This issue – whether such documents are protected by privilege – arose in a recent decision of the Information and Privacy Commissioner of Ontario (the “IPC”).

Read More

No Vicarious Liability of Employers for Data Breach – A Good News Story from the UK

A continuing anxiety for Canadian business is their liability for the deliberate wrongdoing of an employee, who for reasons of his or her own, steals personal information and releases it publically. Employers with even the most robust of cybersecurity and privacy protections can still fall victim to a rogue employee.

There is currently no final decision in Canada on whether a corporation can be vicariously liable for the actions of a rogue employee who breaches the privacy of the company’s employees or customers. To date, that issue has been addressed only at the certification stage of class proceedings on a preliminary basis.

Read More

British Columbia Modifies Data Residency Requirements in Response to COVID-19

British Columbia has temporarily modified its Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c.165 (“FIPPA“) to lift a requirement that personal information handled by public sector agencies, and service providers to those public sector agencies, be kept in Canada.

Under the Order, made on March 26, 2020, “health care bodies”, the Province and certain provincial health-related authorities and ministries may now disclose personal information inside or outside of Canada in accordance with s. 33.2(a) and (c) of FIPPA on the condition that the disclosure is necessary:

a. for the purposes of communicating with individuals respecting COVID-19,
b.

Read More

Privacy During a Pandemic: Privacy Commissioners Issue Guidance

On March 20, 2020 the Office of the Privacy Commissioner of Canada (“OPC“) issued its guidance for privacy during a pandemic. The guidance, Privacy and the COVID-19 outbreak, deals primarily with the ability of an organization to handle personal information during a health emergency. Similar guidance was issued by the Privacy Commissioners in seven other provinces and is linked to within the OPC’s guidance.

Businesses hopeful that there would be some flexibility in the interpretation of the privacy laws during the COVID-19 pandemic will be disappointed. The OPC’s guidance does not offer any information on how businesses – many of which are being forced to rapidly retool existing processes or adopt new digital ones – can think differently about privacy or indicate that the OPC may interpret privacy laws more leniently in the context of an emergency.

Read More

Four of a kind: Ontario Recognizes the Fourth Privacy Tort – False Light

In late 2019, the Ontario Superior Court recognized the tort of placing a person in a false light for the first time. This landmark decision completes the set of four privacy torts, which are now all recognized in Ontario, and has implications for businesses.

For background on the three other privacy torts, intrusion upon seclusion was recognized by the Ontario Court of Appeal in Jones v Tsige in 2012. Following this landmark ruling, in 2016 and again in 2018, the Ontario Superior Court recognized the tort of public disclosure of private facts.[1] Misappropriation of personality has been recognized in Ontario since the 1970s.[2]

Read More