At What Point Does the Failure of an Organization’s Security Safeguards Amount to Recklessness?

The tort of intrusion upon seclusion, as set out by the Ontario Court of Appeal in Jones v Tsige, requires the defendant’s conduct to be intentional, or, at a minimum, reckless. The question is: at what point does the failure of an organization’s security safeguards amount to recklessness? This was the question addressed by the Ontario Superior Court of Justice in the recent case, Wilson-Flewelling v Queensway Carleton Hospital, 2019 CanLII 65155 (ON SCSM) (“Queensway Carleton Hospital”).

The facts

The court heard that the Plaintiff, Ms. Wilson-Flewelling, had attended the defendant hospital (“Hospital”) to book a surgical procedure, that the Hospital’s medical office administrator had left a completed surgical booking package in the Hospital’s dedicated, locked drop box, and that the Plaintiff had unexpectedly received the package in the mail a week later.

Read More

Privacy Commissioner Issues Notice of Consultation on Artificial Intelligence

The Office of the Privacy Commissioner of Canada (“OPC“) has released a Consultation Paper on artificial intelligence (“AI“), saying that it is of the opinion that “responsible innovation involving AI systems must take place in a regulatory environment that respects fundamental rights and creates the conditions for trust in the digital economy to flourish. “

The OPC intends to examine AI in the context of the legislative reform policy analysis as it relates specifically to the Personal Information Protection and Electronic Documents Act (“PIPEDA“). The OPC is clear that it has concerns about AI, stating:

“In our view, AI presents fundamental challenges to all PIPEDA principles and we have identified several areas where the Act could be enhanced.”

Read More

Privacy Commissioner Backs Down on Changes to Cross Border Transfers

The Office of the Privacy Commissioner of Canada (“OPC“) has backed away from attempting to reverse its position on cross border transfers of personal information, saying that at least for now, its guideline for processing data across borders remains unchanged.

The Reversal

The OPC created controversy in its Equifax Finding, wherein it declared that consent was necessary for transfers for processing, a wholesale departure from its previous position. The OPC simultaneously announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposed a reversal of the two-decades old existing policy on consent.

Read More

Claims for Both Punitive Damages and Damages for Intrusion Upon Seclusion Survive

The Issue

Does entering someone’s house while he is out of the country and stealing his personal documents amount to conduct that is so reprehensible that it might warrant an award for punitive damages on top of damages for breach of privacy? This was the question addressed by the Ontario Superior Court of Justice in Furfari v Pedias, 2019 ONSC 4278 (“Furfari”).

The Facts

The Plaintiff, Mr. Furfari, had previously been friends with the Defendant, Mr. Pedias, and his brother Mario, who was the vice-president of the company that the Plaintiff had previously worked for, and which was now suing him in unrelated action.

Read More

UK Privacy Regulator Publishes Report Critical of AdTech and Real Time Bidding

The rapid development of the online advertising industry and advances in advertising technology have resulted in automated and nearly instantaneous auctions of ad space on websites and other digital environments. This process, known as “Real Time Bidding” (“RTB”), is currently an area of concern for the United Kingdom Information Commissioner’s Office (“ICO”), which recently published an update report (“Update Report”) criticizing the online advertising industry’s handling of data and concluding that standard industry practices are non-compliant with European Union privacy laws.

How Real Time Bidding Works

Sophisticated RTB can be a complex series of processes and interactions, but at its most basic, it refers to a process by which online advertisers compete for an audience.

Read More

Court Finds Language of Privacy Act Precludes Arbitration of Privacy Disputes

Overview

There have been a number of recent decisions in the arbitration space regarding when it is appropriate to stay litigation in favour of arbitration and where it is not. In particular, recent appellate case law (e.g., Wellman, and Heller) discusses and interprets the principle set out in Seidel v. TELUS Communications Inc., 2011 SCC 15 that arbitration clauses will generally be enforced “absent legislative language to the contrary.”

In particular, these cases address whether statutory language in consumer protection and employment legislation constitutes “legislative language to the contrary” that precludes parties from agreeing to arbitrate. However, there was no case law that considered this issue in the context of the various privacy statutes that exist across Canada – until now.

Read More

The Privacy Commissioner, Search Engines and the Media – a Battle Over the “Right to be Forgotten”

In 2018, the Office of the Privacy Commissioner of Canada (“OPC”) began a reference to the Federal Court under subsection 18.3(1) of the Federal Courts Act (the “Reference”) in the context of an OPC investigation into a complaint made by an individual against Google. The complainant alleges that Google is contravening the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by continuing to display links to news articles concerning the complainant when his name is searched using Google’s search engine. He requested that Google remove the articles from search results using his name (otherwise known as de-indexing).

Read More