Privacy Commissioner Withdraws Transborder Consultation, Suggests Proactive Audits

On May 22, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) held its annual forum in Toronto, Ontario. Federal Commissioner Daniel Therrien headed the annual forum along with his provincial counterparts Jill Clayton, the Information and Privacy Commissioner of Alberta, and Michael McEvoy, the Information and Privacy Commissioner of British Columbia.

The forum provides the OPC with an opportunity to update practitioners and stakeholders on current and upcoming privacy matters as well provides an opportunity to discuss and share perspectives. Not surprisingly, the topic of transborder data flows dominated the discussion. Here are three key takeaways from the forum.

Read More

New “Digital Charter” Hints at Data Portability, Digital Identity, and Penalties

The federal government announced a new “digital charter” today, emphasizing Canadians’ control over their own personal information and hinting at a “strong enforcement” regime aimed at global internet companies that violate privacy laws.

The digital charter does not have the power of law, but is rather “set of principles that all government policy and legislation will be measured against.” There is no time left in the current federal government’s mandate to reform existing privacy laws and the charter is a halfway measure, signalling to Canadians, and to social media and internet companies especially, that change is coming and what that change might look like.

Read More

Privacy Commissioner Extends Deadline for Transborder Data Flow Consultation

The Office of the Privacy Commissioner of Canada (“OPC”) has announced it will now be accepting comments related to its consultation on transborder data flows until Friday, June 28, 2019.

The discussion document, which was released on April 9, 2019 (see our blog post here, and our blog post about the OPC’s supplemental consultation paper here) reflected a reversal in the OPC’s twenty-year-old policy position on transborder data flows under the Personal Information Protection and Electronic Documents Act (“PIPEDA“).

The OPC has indicated that it intends to provide guidance on disclosures for processing and related consent and accountability requirements.

Read More

Certification of Breach Class Action Denied in Absence of Provable Losses, Commonality

On May 7, 2019, Justice Belobaba denied the motion for certification in the class action brought against Casino Rama relating to a 2016 data breach (Kaplan v. Casino Rama, 2019 ONSC 2025). Despite having five representatives, the plaintiffs were unable to show provable losses, which significantly hampered their case. What was ultimately fatal to the motion, however, was the lack of commonality, leading Justice Belobaba to remark:

The problem here, with almost all of the [proposed common issues (“PCI”)], is that there is no basis in fact for either the existence of the PCI or its overall commonality or both.

Read More

Court Declines to Compel Accused to Provide Smartphone Password


In declining to issue an assistance order compelling an accused to provide the password to his smartphone, Justice Downes’ decision in R v. Shergill , 2019 ONCJ 54 establishes that, at least in some cases, compelling the production of a password for the purposes of building a case against an individual violates the right against self incrimination.

R v. Shergill is another step in the unique search and seizure dynamics involved in the acquisition of evidence from cell phones. Password-protected smart phones in particular present unique challenges to the police and to privacy law as it has developed under the bricks-and-mortar world of the Charter in the last ten years.

Read More

Meaningful Human Review In Decisions by Automated Decision-makers

On April 12, 2019, the UK’s Information Commissioner’s Office published comprehensive guidance (“Guidance”) titled  Automated Decision Making: the role of meaningful human reviews, one of the first posts on its recently launched AI Auditing Framework Blog. Although not binding on Canadian companies (which are subject to different laws), the post (and the blog generally) provide helpful information for companies implementing artificial intelligence (“AI”).

Also relevant to Canadian organizations is the Canadian federal governments Directive on Automated Decision-making, (“Directive”) published April 1, 2019, and which applies to any Automated Decision System developed or procured by the federal government after April 1, 2020.

Read More

Privacy Commissioner Issues Supplemental Consultation Paper on Consent for Transborder Data Flows

On April 9, 2019, the Office of the Privacy Commissioner of Canada (“OPC”) announced it would be holding a stakeholder consultation on transborder data flows. The consultation paper (“Consultation Paper”) proposed a reversal of the two-decades old existing policy on consent in such cases. See our previous post here.

However, the Consultation Paper simply stated the OPC’s position and invited the public’s views, with no indication of why the OPC thought the change was necessary or what the key issues were. Shortly thereafter, the OPC then issued supplemental consultation paper (“Supplemental Consultation Paper”), in which the OPC provided its rationale for its about-face, and posed specific questions for stakeholders to consider.

Read More